--- title: Token (authorization_code) (PRIVATE_KEY_JWT) description: The token endpoint is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's tokenEndpointAuthMethod property. For authorization_code and client_credentials grants, the application calls the POST /{{envID}}/as/token endpoint to acquire the access token. component: pingone-api page_id: pingone-api:auth:openid-connect-oauth-2/token-authorization_code-private-key-jwt canonical_url: https://developer.pingidentity.com/pingone-api/auth/openid-connect-oauth-2/token-authorization_code-private-key-jwt.html section_ids: headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Token (authorization\_code) (PRIVATE\_KEY\_JWT) ## ```none POST {{authPath}}/{{envID}}/as/token ``` The token endpoint is used by the client to obtain an access token by presenting its authorization grant. Note that authentication requirements to this endpoint are configured by the application's `tokenEndpointAuthMethod` property. For `authorization_code` and `client_credentials` grants, the application calls the `POST /{{envID}}/as/token` endpoint to acquire the access token. For an `authorization_code` grant type in which the application's `tokenEndpointAuthMethod` is set to `PRIVATE_KEY_JWT`, the token endpoint uses a JWT signed by an external private key file. For information about creating the JWT (signed by the private key file) and the claims in the JWT, refer to [Create a private key JWT](../auth-config-options/create-a-private-key-jwt.html). Token requests that use this auth method require the `client_assertion` and `client_assertion_type` OAuth properties to specify the JWT. > **Collapse: Request Model** > > | Property | Type | Required? | > | ----------------------- | ------ | --------- | > | `client_id` | String | Required | > | `client_secret` | String | Required | > | `code` | String | Optional | > | `code_verifier` | String | Optional | > | `grant_type` | String | Optional | > | `redirect_uri` | String | Required | > | `client_assertion` | String | Required | > | `client_assertion_type` | String | Required | > > Refer to the [OpenID Connect/OAuth2 data model](../openid-connect-oauth-2.html) for full property descriptions. ### Headers Content-Type      application/x-www-form-urlencoded ### Body urlencoded ( application/x-www-form-urlencoded ) | Key | Value | | ----------------------- | ------------------------------------------------------ | | grant\_type | authorization\_code | | code | {{authCode}} | | redirect\_uri | | | client\_assertion | {{privateKeyJWT}} | | client\_assertion\_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer | ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{authPath}}/{{envID}}/as/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=authorization_code' \ --data-urlencode 'code={{authCode}}' \ --data-urlencode 'redirect_uri=https://www.google.com' \ --data-urlencode 'client_assertion={{privateKeyJWT}}' \ --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' ``` ```csharp var options = new RestClientOptions("{{authPath}}/{{envID}}/as/token") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddParameter("grant_type", "authorization_code"); request.AddParameter("code", "{{authCode}}"); request.AddParameter("redirect_uri", "https://www.google.com"); request.AddParameter("client_assertion", "{{privateKeyJWT}}"); request.AddParameter("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{authPath}}/{{envID}}/as/token" method := "POST" payload := strings.NewReader("grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=https%3A%2F%2Fwww.google.com&client_assertion=%7B%7BprivateKeyJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer") client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/x-www-form-urlencoded") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /{{envID}}/as/token HTTP/1.1 Host: {{authPath}} Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=https%3A%2F%2Fwww.google.com&client_assertion=%7B%7BprivateKeyJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/x-www-form-urlencoded"); RequestBody body = RequestBody.create(mediaType, "grant_type=authorization_code&code={{authCode}}&redirect_uri=https://www.google.com&client_assertion={{privateKeyJWT}}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"); Request request = new Request.Builder() .url("{{authPath}}/{{envID}}/as/token") .method("POST", body) .addHeader("Content-Type", "application/x-www-form-urlencoded") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{authPath}}/{{envID}}/as/token", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "data": { "grant_type": "authorization_code", "code": "{{authCode}}", "redirect_uri": "https://www.google.com", "client_assertion": "{{privateKeyJWT}}", "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" } }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{authPath}}/{{envID}}/as/token', 'headers': { 'Content-Type': 'application/x-www-form-urlencoded' }, form: { 'grant_type': 'authorization_code', 'code': '{{authCode}}', 'redirect_uri': 'https://www.google.com', 'client_assertion': '{{privateKeyJWT}}', 'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests url = "{{authPath}}/{{envID}}/as/token" payload = 'grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=https%3A%2F%2Fwww.google.com&client_assertion=%7B%7BprivateKeyJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer' headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{authPath}}/{{envID}}/as/token'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/x-www-form-urlencoded' )); $request->addPostParameter(array( 'grant_type' => 'authorization_code', 'code' => '{{authCode}}', 'redirect_uri' => 'https://www.google.com', 'client_assertion' => '{{privateKeyJWT}}', 'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' )); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "net/http" url = URI("{{authPath}}/{{envID}}/as/token") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/x-www-form-urlencoded" request.body = "grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=https%3A%2F%2Fwww.google.com&client_assertion=%7B%7BprivateKeyJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer" response = http.request(request) puts response.read_body ``` ```swift let parameters = "grant_type=authorization_code&code=%7B%7BauthCode%7D%7D&redirect_uri=https%3A%2F%2Fwww.google.com&client_assertion=%7B%7BprivateKeyJWT%7D%7D&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{authPath}}/{{envID}}/as/token")!,timeoutInterval: Double.infinity) request.addValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 200 OK ```json { "access_token": "eyJhbGciOiJSUz...", "token_type": "Bearer", "expires_in": 3600, "scope": "openid" } ```