OAuth2 Token Endpoint

POST

/oauth2/access_token

• The API server for the WhiteBeard News Suite
• Local development server for the WhiteBeard News Suite
• Local worker for the WhiteBeard News Suite

Exchanges authorization codes or refresh tokens for access tokens.

Request Body ^required

One of:

object

object

grant_type

required

Grant type, must be authorization_code or refresh_token or password or `otp

string

Allowed values: authorization_code refresh_token password otp

client_id

required

The client application’s identifier.

string

client_secret

The client application’s secret.

string

code

required

Authorization code received from the /oauth2/authorize endpoint or the OTP code.

string

redirect_uri

required

The same redirect URI used in the authorization request.

string format: uri

code_verifier

required

Original code verifier used in PKCE flow.

string

refresh_token

Refresh token for obtaining new access tokens.

string

username

Customer e-mail or for third-party authentication, use the values facebook, google, or apple. See documentation.

string

password

Plain-text password or JSON-encoded string of token, source, and name. See documentation.

string

object

object

grant_type

required

Grant type, must be authorization_code or refresh_token or password or `otp

string

Allowed values: authorization_code refresh_token password otp

client_id

required

The client application’s identifier.

string

client_secret

The client application’s secret.

string

code

Authorization code received from the /oauth2/authorize endpoint or the OTP code.

string

redirect_uri

The same redirect URI used in the authorization request.

string format: uri

code_verifier

Original code verifier used in PKCE flow.

string

refresh_token

required

Refresh token for obtaining new access tokens.

string

username

Customer e-mail or for third-party authentication, use the values facebook, google, or apple. See documentation.

string

password

Plain-text password or JSON-encoded string of token, source, and name. See documentation.

string

object

object

grant_type

required

Grant type, must be authorization_code or refresh_token or password or `otp

string

Allowed values: authorization_code refresh_token password otp

client_id

required

The client application’s identifier.

string

client_secret

required

The client application’s secret.

string

code

Authorization code received from the /oauth2/authorize endpoint or the OTP code.

string

redirect_uri

The same redirect URI used in the authorization request.

string format: uri

code_verifier

Original code verifier used in PKCE flow.

string

refresh_token

Refresh token for obtaining new access tokens.

string

username

required

Customer e-mail or for third-party authentication, use the values facebook, google, or apple. See documentation.

string

password

required

Plain-text password or JSON-encoded string of token, source, and name. See documentation.

string

Responses

200

Successful token response.

object

access_token

The access token issued by the authorization server.

string

token_type

The type of the token issued (typically ‘Bearer’).

string

expires_in

Lifetime in seconds of the access token.

integer

refresh_token

Refresh token to obtain new access tokens.

string

scope

Scopes granted to the access token.

string

400

Invalid request or authorization code.

401

Invalid client credentials or unauthorized request.