--- title: Token (authorization_code) (NONE) description: The token endpoint is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's tokenEndpointAuthMethod property. For authorization_code`grant, the application calls the `POST /{{envID}}/as/token endpoint to acquire the access token. component: pingone-api page_id: pingone-api:auth:openid-connect-oauth-2/token-authorization_code-none canonical_url: https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/token-authorization_code-none.html section_ids: prerequisites: Prerequisites headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Token (authorization\_code) (NONE) ## ```none POST {{authPath}}/{{envID}}/as/token ``` The token endpoint is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's `tokenEndpointAuthMethod` property. For ``authorization_code`grant, the application calls the `POST /{{envID}}/as/token`` endpoint to acquire the access token. For an `authorization_code` grant type in which the application's `tokenEndpointAuthMethod` is set to `NONE`, the request requires the `client_id` property value and does not require an `Authorization` header. For a PKCE authorization request, the token request must include the `code_verifier` parameter: ```none curl -X POST \ 'https://auth.pingone.com/${{envID}}/as/token \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d `grant_type=authorization_code&code={{authCode}}&client_id={{appID}}&redirect_uri={{redirect_uri}}&code_verifier={{codeVerifier}}' ``` To obtain a refresh token along with an access token, the application must be either: * Configured with the `refresh_token` grant type and the `authorization_code` grant type. * Configured with the `authorization_code` grant type, and include `offline_access` in the `scope` parameter. A refresh token is then generated along with the access token. When obtaining the original access token, a refresh token is included in the response, which is tied to the client and the user session. As long as the session exists and it is not expired (30 days since the last sign on), the `/{{envID}}/as/token` endpoint can be used to exchange the refresh token for a new access token and refresh token. If the `openid` scope is granted, an ID token is also included. When a new refresh token is issued, the previous refresh token is rotated to prevent token abuse, which is useful when client authentication is disabled. In addition, when a refresh token is exchanged, the `activeAt` property of the corresponding session is updated. This does not extend the duration of the session, but can be used to indicate that there is activity. To revoke a refresh token, the corresponding session must be deleted. Session termination is supported only by the resource owner using the `/{{envID}}/as/signoff` endpoint or by disabling the user. For more information about access token claims, refer to [Access token claims](../../foundations/authentication-concepts/access-tokens-and-id-tokens.html). ### Prerequisites * Refer to [OpenID Connect/OAuth 2](../openid-connect-oauth-2.html) and [Token](token-intro.html) for important overview information. * Run [Authorize (authorization\_code POST)](authorize-authorization_code-1.html) to generate an `authCode`. * `redirect_uri` values are an application attribute. Refer to [Application Operations](../../platform/applications/applications-1.html) for information about creating a new application. Run [Read One Application](../../platform/applications/applications-1/read-one-application.html) to find the `redirect_uri` value for an existing application. * Create an application to get an `appID`. Refer to [Application Operations](../../platform/applications/applications-1.html). Run [Read All Applications](../../platform/applications/applications-1/read-all-applications.html) to find an existing application. > **Collapse: Request Model** > > | Property | Type | Required? | > | --------------- | ------ | --------- | > | `client_id` | String | Required | > | `client_secret` | String | Required | > | `code` | String | Optional | > | `code_verifier` | String | Optional | > | `grant_type` | String | Optional | > | `redirect_uri` | String | Required | > > Refer to the [OpenID Connect/OAuth2 data model](../openid-connect-oauth-2.html) for full property descriptions. ### Headers Content-Type      application/x-www-form-urlencoded ### Body urlencoded ( application/x-www-form-urlencoded ) | Key | Value | | ------------- | ------------------- | | grant\_type | authorization\_code | | code | {{authCode}} | | redirect\_uri | {{redirect\_uri}} | | client\_id | {{appID}} | ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{authPath}}/{{envID}}/as/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code={{authCode}}' \ --data-urlencode 'redirect_uri={{redirect_uri}}' \ --data-urlencode 'client_id={{appID}}' ``` ```csharp var options = new RestClientOptions("{{authPath}}/{{envID}}/as/token") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddParameter("grant_type", "authorization_code"); request.AddParameter("code", "{{authCode}}"); request.AddParameter("redirect_uri", "{{redirect_uri}}"); request.AddParameter("client_id", "{{appID}}"); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{authPath}}/{{envID}}/as/token" method := "POST" payload := strings.NewReader("grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&client_id=%7B%7BappID%7D%7D") client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/x-www-form-urlencoded") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /{{envID}}/as/token HTTP/1.1 Host: {{authPath}} Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&client_id=%7B%7BappID%7D%7D ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded"); RequestBody body = RequestBody.create(mediaType, "grant_type=authorization_code&code={{authCode}}&redirect_uri={{redirect_uri}}&client_id={{appID}}"); Request request = new Request.Builder() .url("{{authPath}}/{{envID}}/as/token") .method("POST", body) .addHeader("Content-Type", "application/x-www-form-urlencoded") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{authPath}}/{{envID}}/as/token", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "data": { "grant_type": "authorization_code", "code": "{{authCode}}", "redirect_uri": "{{redirect_uri}}", "client_id": "{{appID}}" } }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{authPath}}/{{envID}}/as/token', 'headers': { 'Content-Type': 'application/x-www-form-urlencoded' }, form: { 'grant_type': 'authorization_code', 'code': '{{authCode}}', 'redirect_uri': '{{redirect_uri}}', 'client_id': '{{appID}}' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests url = "{{authPath}}/{{envID}}/as/token" payload = 'grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&client_id=%7B%7BappID%7D%7D' headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{authPath}}/{{envID}}/as/token'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/x-www-form-urlencoded' )); $request->addPostParameter(array( 'grant_type' => 'authorization_code', 'code' => '{{authCode}}', 'redirect_uri' => '{{redirect_uri}}', 'client_id' => '{{appID}}' )); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "net/http" url = URI("{{authPath}}/{{envID}}/as/token") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/x-www-form-urlencoded" request.body = "grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&client_id=%7B%7BappID%7D%7D" response = http.request(request) puts response.read_body ``` ```swift let parameters = "grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=%7B%7Bredirect_uri%7D%7D&client_id=%7B%7BappID%7D%7D" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{authPath}}/{{envID}}/as/token")!,timeoutInterval: Double.infinity) request.addValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 200 OK ```json { "access_token": "eyJhbGciOiJSUz...", "token_type": "Bearer", "expires_in": 3600, "scope": "openid" } ```