> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbrix.mx/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange Authorization Code

> 🔓 PUBLIC ENDPOINT: Exchanges an authorization code for access and refresh tokens (Authorization Code Flow). Requires valid code, client_id, client_secret, and redirect_uri. Rate limit: 15 requests per minute.

Exchanges an authorization code for access and refresh tokens (Authorization Code Flow).

<Warning>
  This is a **PUBLIC ENDPOINT** (no authentication required). Rate-limited to
  **15 requests per minute**.
</Warning>

## Request Body

| Field          | Type   | Required | Description                                     |
| -------------- | ------ | -------- | ----------------------------------------------- |
| `code`         | string | Yes      | Authorization code from `/oauth/authorize`      |
| `clientId`     | string | Yes      | OAuth application client ID                     |
| `clientSecret` | string | Yes      | OAuth application client secret                 |
| `redirectUri`  | string | Yes      | Redirect URI (must match authorization request) |
| `grantType`    | string | Yes      | Grant type (default: "authorization\_code")     |

## Example Request

```bash theme={null}
curl -X POST http://localhost:3001/api/oauth/token/exchange \
  -H "Content-Type: application/json" \
  -d '{
    "code": "code_abc123xyz...",
    "clientId": "app_1234567890abcdef",
    "clientSecret": "cs_1234567890abcdef",
    "redirectUri": "https://example.com/oauth/callback",
    "grantType": "authorization_code"
  }'
```

## Example Response

```json theme={null}
{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "rt_abc123xyz...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "read:user read:organization"
}
```

## Important Notes

* The `redirectUri` must **exactly match** the one used in the authorization request
* Authorization codes are single-use and expire quickly
* Store the refresh token securely for token renewal

## Common Errors

### 400 Bad Request

Invalid request. Check required fields: code, client\_id, client\_secret, redirect\_uri, grant\_type.

### 401 Unauthorized

Invalid authorization code, client credentials, or redirect URI mismatch.

### 429 Too Many Requests

Rate limit exceeded. Maximum 15 requests per minute for code exchange.


## OpenAPI

````yaml POST /oauth/token/exchange
openapi: 3.1.0
info:
  title: Timbrix API
  description: >-
    REST API with OAuth2 server for managing organizations, members, and
    webhooks
  version: '1.0'
  contact: {}
servers:
  - url: http://sandbox.mintlify.com
    description: Sandbox environment
  - url: http://localhost:3001/api
    description: Local development
security: []
tags:
  - name: organizations
    description: Organization management endpoints
  - name: oauth
    description: OAuth2 authentication and authorization
  - name: webhooks
    description: Webhook configuration and delivery
  - name: users
    description: User information endpoints
  - name: api-keys
    description: API Keys management and validation
paths:
  /oauth/token/exchange:
    post:
      tags:
        - oauth
      summary: Exchange authorization code for access token
      description: >-
        🔓 PUBLIC ENDPOINT: Exchanges an authorization code for access and
        refresh tokens (Authorization Code Flow). Requires valid code,
        client_id, client_secret, and redirect_uri. Rate limit: 15 requests per
        minute.
      operationId: OAuthController_exchangeCode
      parameters: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ExchangeCodeDto'
      responses:
        '201':
          description: >-
            Code exchanged successfully. Returns access_token, refresh_token,
            token_type (Bearer), expiration time, and scopes.
        '400':
          description: >-
            Invalid request. Check required fields: code, client_id,
            client_secret, redirect_uri, grant_type.
        '401':
          description: >-
            Invalid authorization code, client credentials, or redirect URI
            mismatch.
        '429':
          description: >-
            Rate limit exceeded. Maximum 15 requests per minute for code
            exchange.
components:
  schemas:
    ExchangeCodeDto:
      type: object
      properties:
        code:
          type: string
          description: Authorization code received from the authorization endpoint
          example: code_abc123...
        clientId:
          type: string
          description: OAuth application client ID
          example: app_abc123...
        clientSecret:
          type: string
          description: OAuth application client secret
          example: cs_abc123...
        redirectUri:
          type: string
          description: >-
            Redirect URI that was used in the authorization request (must match
            exactly)
          example: https://example.com/oauth/callback
        grantType:
          type: string
          description: Grant type (authorization_code for code exchange)
          example: authorization_code
          default: authorization_code
        codeVerifier:
          type: string
          description: >-
            PKCE code verifier (required if code_challenge was provided during
            authorization). Random string used to generate the code_challenge.
          example: dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
      required:
        - code
        - clientId
        - clientSecret
        - redirectUri
        - grantType

````