> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange Authorization Code

> Exchange an authorization code for an access token for a Connected App client.

This endpoint uses your [Custom Domain](/connected-apps/resources/custom-domains).

The `authorization_code` grant type is used to complete an OAuth or OIDC login flow with user interaction. When using the `authorization_code` grant type, a `code` and `redirect_uri` must be provided. Additionally, a `code_verifier` must be provided if PKCE was used at the start of the login flow.

The response from the Authorization Code flow differs depending on the scopes granted to the client.

* If the `openid` scope has been granted, an `id_token` will be returned in the response.
* If the `offline_access` scope has been granted, a `refresh_token` will be returned in the response.

Connected App [**Access Tokens**](/api-reference/consumer/api/connected-apps/tokens/connected-app-access-token-object) and [**ID Tokens**](/api-reference/consumer/api/connected-apps/tokens/connected-app-id-token-object) are JWTs signed with the project's [JWKS](/api-reference/consumer/api/connected-apps/configuration/get-jwks). ID Tokens are valid for one hour after issuance. Access Tokens expiry is controlled by the client's `access_token_expiry_minutes` field, which also defaults to one hour.

You can validate and examine your access and refresh tokens by using the [Token Introspection Endpoint](/api-reference/consumer/api/connected-apps/methods/introspect-token).

Access token JWTs can be validated locally by using a [Stytch Backend SDK](/api-reference/consumer/api/connected-apps/methods/authenticate-access-token-local), or any library that supports the JWT protocol.

<Note>
  Unlike other Stytch API endpoints, this endpoint is not authenticated with a `project_id` and `project_secret` pair. Instead, it is authenticated via the `client_id` and `client_secret` of an active Connected App Client within the current project.
</Note>

This endpoint is an [RFC-6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) compliant token issuing endpoint.

* This endpoint supports passing the `client_id` and `client_secret` within the request body as well as within a [HTTP-Basic Auth](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) header.
* This endpoint supports both `application/json` and `application/x-www-form-urlencoded` content types.

<Info>
  We recommend using the [Custom Domain](/connected-apps/resources/custom-domains) whenever possible. For backwards compatibility reasons, this endpoint is also available at `https://test.stytch.com/v1/public/${projectId}/oauth2/token`.
</Info>

## Body

<ParamField body="client_id" type="string" required>
  The ID of the Connected App client.
</ParamField>

<ParamField body="client_secret" type="string" required>
  The secret of the Connected App client. **Required for confidential clients**
</ParamField>

<ParamField body="code_verifier" type="string" required>
  A base64url encoded one time secret used to validate that the request starts and ends on the same device. **Required for public clients**
</ParamField>

<ParamField body="grant_type" type="string" required>
  The OAuth2 defined grant type that should be used to acquire an access token. Either `authorization_code` or `refresh_token` is supported for Connected App clients. An error will be returned if this parameter is omitted.
</ParamField>

<ParamField body="code" type="string">
  An authorization code parsed from the query params of an OAuth flow callback. This field is required when using the `authorization_code` grant.
</ParamField>

<ParamField body="redirect_uri" type="string">
  The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the `authorization_code` grant.
</ParamField>

## Response

<ResponseField name="access_token" type="string">
  The access token granted to the client. Access tokens are JWTs signed with the project's JWKS.
</ResponseField>

<ResponseField name="id_token" type="string">
  An ID token containing information about the authenticated end-user. ID Tokens are JWTs signed with the project's JWKS. Only returned if the `openid` scope is granted.
</ResponseField>

<ResponseField name="refresh_token" type="string">
  An opaque token that may be used in the future to retrieve a new access token. Only returned if the `offline_access` scope is granted.
</ResponseField>

<ResponseField name="token_type" type="string">
  The type of the returned access token. Today, this value will always be equal to "bearer"
</ResponseField>

<ResponseField name="expires_in" type="number">
  The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
</ResponseField>

<ResponseField name="request_id" type="string">
  Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we
  may ask for this value to help identify a specific API call when helping you debug an issue.
</ResponseField>

<ResponseField name="status_code" type="number">
  The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values
  equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
</ResponseField>

<Panel>
  <RequestExample>
    ```curl theme={null}
    curl --request POST \
      --url https://${projectDomain}/v1/oauth2/token \
      -H 'Content-Type: application/json' \
      -d '{
        "client_id": "${exampleConnectedAppClientID}",
        "client_secret": "${exampleConnectedAppClientSecret}",
        "redirect_uri": "https://example.com/callback",
        "grant_type": "authorization_code",
        "code": "${exampleConnectedAppAuthCode}"
      }'

    ```
  </RequestExample>

  <ResponseExample>
    ```json 200 theme={null}
    {
      "access_token": "eyJ...",
      "expires_in": 3600,
      "refresh_token": "wUU...",
      "scope": "openid email profile phone",
      "token_type": "bearer",
      "id_token": "eyJ...",
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "status_code": 200
    }
    ```

    ```json 404 theme={null}
    {
      "status_code": 404,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "idp_client_not_found",
      "error_message": "The IDP client requested could not be found.",
      "error_url": "https://stytch.com/docs/api/errors/404"
    }
    ```

    ```json 429 theme={null}
    {
      "status_code": 429,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "too_many_requests",
      "error_message": "Too many requests have been made.",
      "error_url": "https://stytch.com/docs/api/errors/429"
    }
    ```

    ```json 500 theme={null}
    {
      "status_code": 500,
      "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
      "error_type": "internal_server_error",
      "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.",
      "error_url": "https://stytch.com/docs/api/errors/500"
    }
    ```
  </ResponseExample>
</Panel>
