Exchange Authorization Code
🔓 PUBLIC ENDPOINT: Exchanges an authorization code for access and refresh tokens (Authorization Code Flow). Requires valid code, client_id, client_secret, and redirect_uri. Rate limit: 15 requests per minute.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
code | string | Yes | Authorization code from /oauth/authorize |
clientId | string | Yes | OAuth application client ID |
clientSecret | string | Yes | OAuth application client secret |
redirectUri | string | Yes | Redirect URI (must match authorization request) |
grantType | string | Yes | Grant type (default: “authorization_code”) |
Example Request
Example Response
Important Notes
- The
redirectUrimust exactly match the one used in the authorization request - Authorization codes are single-use and expire quickly
- Store the refresh token securely for token renewal
Common Errors
400 Bad Request
Invalid request. Check required fields: code, client_id, client_secret, redirect_uri, grant_type.401 Unauthorized
Invalid authorization code, client credentials, or redirect URI mismatch.429 Too Many Requests
Rate limit exceeded. Maximum 15 requests per minute for code exchange.Body
Authorization code received from the authorization endpoint
"code_abc123..."
OAuth application client ID
"app_abc123..."
OAuth application client secret
"cs_abc123..."
Redirect URI that was used in the authorization request (must match exactly)
"https://example.com/oauth/callback"
Grant type (authorization_code for code exchange)
"authorization_code"
PKCE code verifier (required if code_challenge was provided during authorization). Random string used to generate the code_challenge.
"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
Response
Code exchanged successfully. Returns access_token, refresh_token, token_type (Bearer), expiration time, and scopes.