> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# Get Token
> Authenticate a user with their credentials using the Resource Owner Password grant for trusted applications that cannot use redirects.
export const ResponseSchema = ({statusCode, type = "{}", children}) => {
const [open, setOpen] = useState(false);
return
;
};
## Endpoint
`POST /oauth/token`
This flow should only be used from highly-trusted applications that **cannot do redirects**. If you can use redirect-based flows from your app, we recommend using the [Authorization Code Flow](#regular-web-app-login-flow) instead.
This is the OAuth 2.0 grant that highly-trusted apps use to access an API. In this flow, the end-user is asked to fill in credentials (username/password), typically using an interactive form in the user-agent (browser). This information is sent to the backend and from there to Auth0. It is therefore imperative that the application is absolutely trusted with this information.
### Request Headers
| Parameter | Description |
| :-------------------- | :----------------------------------------------------------------------------------------------------------- |
| `auth0-forwarded-for` | End-user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios. |
### Responses
#### 200
A successful request returns the access token.
```json theme={null}
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token":"eyJz93a...k4laUWw",
"token_type":"Bearer",
"expires_in":86400
}
```
### Remarks
* The scopes issued to the application may differ from the scopes requested. In this case, a `scope` parameter will be included in the response JSON.
* If you don't request specific scopes, all scopes defined for the audience will be returned due to the implied trust to the application in this grant.
* To add realm support, set the `grant_type` to `http://auth0.com/oauth/grant-type/password-realm`, and the `realm` to the realm the user belongs. This maps to a connection in Auth0.
* In addition to username and password, Auth0 may require the end-user to provide an additional factor as proof of identity. The request may return an `mfa_required` error along with an `mfa_token` for multi-factor authentication.
### Learn More
* [Calling APIs from Highly-Trusted Applications](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow)
* [Executing the Resource Owner Password Grant](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow/call-your-api-using-resource-owner-password-flow)
* [Multi-factor Authentication and Resource Owner Password](https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa)
## Headers
A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
## Body Parameters
Denotes the flow you are using. For Resource Owner Password use `password`.
Resource Owner's identifier, such as a username or email address.
Resource Owner's secret.
The unique identifier of the target API you want to access.
The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`.
String value of the different scopes the application is asking for.
Your application's Client ID.
Your application's Client Secret.
String value of the realm the user belongs.
## Response Schema
The access token.
The type of token. Usually `Bearer`.
The access token lifetime in seconds.
## Response Messages
| Status | Description |
| ------ | ------------------------- |
| 200 | Returns the access token. |