Access Token Response
If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token.
The authorization response is constructed by adding the following parameters to the
entity-body of the HTTP response with a 200 (OK)
status code:
Token | Option | Description |
---|---|---|
access_token |
REQUIRED | The access token issued by the authorization server. |
token_type |
REQUIRED | The type of the token issued. Value is case insensitive. |
expires_in |
RECOMMENDED | The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. |
refresh_token |
OPTIONAL | The refresh token, which can be used to obtain new access tokens using the same authorization grant. |
scope |
OPTIONAL | Identical to the scope of the configured application client. |
Successful Response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
}
Error Response
If the request failed client authentication or is invalid, the authorization server returns a single ASCII (USASCII) error code response of one of the following.
Error | Description |
---|---|
invalid_request |
The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed. |
invalid_client |
Client authentication failed (For example: unknown client, no
client authentication included, or unsupported authentication
method). The authorization server MAY return an HTTP
401 (Unauthorized) status code to indicate which HTTP
authentication schemes are supported. If the client attempted to
authenticate via the "Authorization" request header field, the
authorization server MUST respond with an HTTP 401
(Unauthorized) status code and include the
"WWW-Authenticate " response header field
matching the authentication scheme used by the client. |
invalid_grant |
The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. |
unauthorized_client |
The authenticated client is not authorized to use this authorization grant type. |
unsupported_grant_type |
The authorization grant type is not supported by the authorization server. |
invalid_scope |
The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. |