> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbrix.mx/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate OAuth Access Token

> 🔓 PUBLIC ENDPOINT: Generates an OAuth2 access token using client credentials flow. Requires valid client_id and client_secret. Token scopes are validated against application configuration. Rate limit: 10 requests per minute.

Generates an OAuth2 access token using client credentials flow.

<Warning>
  This is a **PUBLIC ENDPOINT** (no authentication required). Rate-limited to **10 requests per minute**.
</Warning>

## Request Body

| Field          | Type   | Required | Description                            |
| -------------- | ------ | -------- | -------------------------------------- |
| `clientId`     | string | Yes      | Client ID of the OAuth application     |
| `clientSecret` | string | Yes      | Client secret of the OAuth application |
| `scopes`       | array  | Yes      | OAuth scopes requested                 |
| `userId`       | string | No       | User ID for user-specific tokens       |

## Example Request

```bash theme={null}
curl -X POST http://localhost:3001/api/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "clientId": "app_1234567890abcdef",
    "clientSecret": "cs_1234567890abcdef",
    "scopes": ["read:organization"]
  }'
```

## Example Response

```json theme={null}
{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "read:organization"
}
```

## Token Scopes

Token scopes are validated against the OAuth application configuration. Only scopes configured for the application can be requested.

## Using the Token

Include the access token in API requests:

```bash theme={null}
curl -X GET http://localhost:3001/api/users/me \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
```

## Token Expiry

Access tokens expire after **1 hour** (3600 seconds). Use the refresh token endpoint to get a new token.

## Common Errors

### 400 Bad Request

Invalid request. Check required fields: client\_id, client\_secret, scopes.

### 401 Unauthorized

Invalid client credentials. Check client\_id and client\_secret.

### 429 Too Many Requests

Rate limit exceeded. Maximum 10 requests per minute for token generation.


## OpenAPI

````yaml POST /oauth/token
openapi: 3.1.0
info:
  title: Timbrix API
  description: >-
    REST API with OAuth2 server for managing organizations, members, and
    webhooks
  version: '1.0'
  contact: {}
servers:
  - url: http://sandbox.mintlify.com
    description: Sandbox environment
  - url: http://localhost:3001/api
    description: Local development
security: []
tags:
  - name: organizations
    description: Organization management endpoints
  - name: oauth
    description: OAuth2 authentication and authorization
  - name: webhooks
    description: Webhook configuration and delivery
  - name: users
    description: User information endpoints
  - name: api-keys
    description: API Keys management and validation
paths:
  /oauth/token:
    post:
      tags:
        - oauth
      summary: Generate OAuth access token
      description: >-
        🔓 PUBLIC ENDPOINT: Generates an OAuth2 access token using client
        credentials flow. Requires valid client_id and client_secret. Token
        scopes are validated against application configuration. Rate limit: 10
        requests per minute.
      operationId: OAuthController_generateToken
      parameters: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GenerateTokenDto'
      responses:
        '201':
          description: >-
            Access token generated successfully. Returns token, type (Bearer),
            expiration time, and granted scopes.
        '400':
          description: >-
            Invalid request. Check required fields: client_id, client_secret,
            scopes.
        '401':
          description: Invalid client credentials. Check client_id and client_secret.
        '429':
          description: >-
            Rate limit exceeded. Maximum 10 requests per minute for token
            generation.
components:
  schemas:
    GenerateTokenDto:
      type: object
      properties:
        clientId:
          type: string
          description: Client ID of the OAuth application
          example: app_1234567890abcdef
        clientSecret:
          type: string
          description: Client secret of the OAuth application
          example: cs_1234567890abcdef
        scopes:
          description: OAuth scopes requested
          example:
            - read:organization
          type: array
          items:
            type: array
        userId:
          type: string
          description: User ID for user-specific tokens
          example: 550e8400-e29b-41d4-a716-446655440000
      required:
        - clientId
        - clientSecret
        - scopes

````