Request a Token

post

https://na1.ironcladapp.com/oauth/token

This endpoint is used to request a token from the authorization server. If requesting an initial token in the Authorization Code grant, an authorization code, client ID, and client secret must be provided. If requesting to refresh an existing token in the Authorization Code grant, a refresh token, client ID, and client secret must be provided. If requesting a token via the Client Credentials grant, a client ID and secret must be provided. See endpoint specification.

Body Params

grant_type

string

enum

required

The grant type for the request. Must be set to 'authorization_code' for the Authorization Code grant initial token request.

Allowed:

code

string

required

The authorization code received from the authorization server.

redirect_uri

string

required

The client applications redirect URI. Must be registered on the client application and consistent throughout the authorization transaction.

client_id

string

The client ID of the client application issued at registration. Required if not provided in the Authorization header.

client_secret

string

The client secret of the client application issued at registration. Required if not provided in the Authorization header.

Headers

Authorization

string

The client ID and client secret of the client application in the format 'Basic <client_id:client_secret>' where client ID and secret are base64 encoded. Required if not provided in the request body.

Responses

Language

URL

Response

Click Try It! to start a request and see the response here! Or choose an example:

application/json

200A successful response will return the relevant token details.

400If the request is missing required parameters or has invalid parameters, the client will receive either an 'invalid_request' or 'invalid_scope' response.

401If the client associated with the initial authorization request does not match the client requesting the token or if the client associated with a token does not match the client requesting a token refresh, the client will receive an 'invalid_client' response.

403If the client is not authorized to use a particular grant, the client will receive an 'unauthorized_client' response. If the request includes an invalid authorization code, an invalid refresh token, or an invalid redirect URI, the client will receive an 'invalid_grant' response.