Skip to main content
curl --request POST \
  --url https://${projectDomain}/v1/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "${exampleConnectedAppClientID}",
    "client_secret": "${exampleConnectedAppClientSecret}",
    "redirect_uri": "https://example.com/callback",
    "grant_type": "authorization_code",
    "code": "${exampleConnectedAppAuthCode}"
  }'


{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "refresh_token": "wUU...",
  "scope": "openid email profile phone",
  "token_type": "bearer",
  "id_token": "eyJ...",
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "status_code": 200
}
POST
https://${projectdomain}
/
v1
/
oauth2
/
token
curl --request POST \
  --url https://${projectDomain}/v1/oauth2/token \
  -H 'Content-Type: application/json' \
  -d '{
    "client_id": "${exampleConnectedAppClientID}",
    "client_secret": "${exampleConnectedAppClientSecret}",
    "redirect_uri": "https://example.com/callback",
    "grant_type": "authorization_code",
    "code": "${exampleConnectedAppAuthCode}"
  }'


{
  "access_token": "eyJ...",
  "expires_in": 3600,
  "refresh_token": "wUU...",
  "scope": "openid email profile phone",
  "token_type": "bearer",
  "id_token": "eyJ...",
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "status_code": 200
}
This endpoint uses your Custom Domain. The authorization_code grant type is used to complete an OAuth or OIDC login flow with user interaction. When using the authorization_code grant type, a code and redirect_uri must be provided. Additionally, a code_verifier must be provided if PKCE was used at the start of the login flow. The response from the Authorization Code flow differs depending on the scopes granted to the client.
  • If the openid scope has been granted, an id_token will be returned in the response.
  • If the offline_access scope has been granted, a refresh_token will be returned in the response.
Connected App Access Tokens and ID Tokens are JWTs signed with the project’s JWKS. ID Tokens are valid for one hour after issuance. Access Tokens expiry is controlled by the client’s access_token_expiry_minutes field, which also defaults to one hour. You can validate and examine your access and refresh tokens by using the Token Introspection Endpoint. Access token JWTs can be validated locally by using a Stytch Backend SDK, or any library that supports the JWT protocol.
Unlike other Stytch API endpoints, this endpoint is not authenticated with a project_id and project_secret pair. Instead, it is authenticated via the client_id and client_secret of an active Connected App Client within the current project.
This endpoint is an RFC-6749 compliant token issuing endpoint.
  • This endpoint supports passing the client_id and client_secret within the request body as well as within a HTTP-Basic Auth header.
  • This endpoint supports both application/json and application/x-www-form-urlencoded content types.
We recommend using the Custom Domain whenever possible. For backwards compatibility reasons, this endpoint is also available at https://test.stytch.com/v1/public/${projectId}/oauth2/token.

Body

client_id
string
required
The ID of the Connected App client.
client_secret
string
required
The secret of the Connected App client. Required for confidential clients
code_verifier
string
required
A base64url encoded one time secret used to validate that the request starts and ends on the same device. Required for public clients
grant_type
string
required
The OAuth2 defined grant type that should be used to acquire an access token. Either authorization_code or refresh_token is supported for Connected App clients. An error will be returned if this parameter is omitted.
code
string
An authorization code parsed from the query params of an OAuth flow callback. This field is required when using the authorization_code grant.
redirect_uri
string
The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.

Response

access_token
string
The access token granted to the client. Access tokens are JWTs signed with the project’s JWKS.
id_token
string
An ID token containing information about the authenticated end-user. ID Tokens are JWTs signed with the project’s JWKS. Only returned if the openid scope is granted.
refresh_token
string
An opaque token that may be used in the future to retrieve a new access token. Only returned if the offline_access scope is granted.
token_type
string
The type of the returned access token. Today, this value will always be equal to “bearer”
expires_in
number
The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
request_id
string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
status_code
number
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.