--- title: /oauth2/access_token description: The /oauth2/access_token endpoint is the OAuth 2.0 token endpoint (RFC 6749). component: pingoneaic-api page_id: pingoneaic-api:am-oauth2:oauth2-access_token-endpoint canonical_url: https://developer.pingidentity.com/pingoneaic-api/am-oauth2/oauth2-access_token-endpoint.html keywords: ["OAuth 2.0", "Endpoints", "Authorization", "REST API"] --- # /oauth2/access\_token The `/oauth2/access_token` endpoint is the OAuth 2.0 [token endpoint](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.2) (RFC 6749). Use this endpoint to acquire an access or refresh token with the following flows: * Authorization code grant ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant.html)) * Authorization code grant with PKCE ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-pkce.html)) * Authorization code grant with PAR ([OAuth 2.0](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-par.html)) * Client credentials grant ([OAuth 2.0](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-client-cred-grant.html)) * Resource owner password credentials grant ([OAuth 2.0](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-ropc-grant.html)) * Device flow ([OAuth 2.0](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-device-flow.html)) * SAML 2.0 profile for authorization grant ([OAuth 2.0](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-saml2-bearer-grant.html)) * Token exchange ([OAuth 2.0 | OpenID Connect](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/token-exchange.html)) Specify the realm in the request URL; for example: ```none https:///am/oauth2/realms/root/realms/alpha/access_token ``` The `access_token` endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | `actor_token` | The token representing a delegate acting on behalf of another identity. | Yes, for [Token exchange](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/token-exchange.html) | | `actor_token_type` | The type of actor token. | Yes, for [Token exchange](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/token-exchange.html) | | `auth_chain` | A string naming the journey to authenticate the resource owner. | No, only for [Resource owner password credentials grant](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-ropc-grant.html) | | `assertion` | A string holding a base64-encoded then URL-encoded SAML 2.0 assertion | Yes, when `grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer` | | `client_assertion` | A signed JSON Web Token (JWT) to use as client credentials. | Yes, for [JWT profile](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-jwt.html) authentication | | `client_assertion_type` | The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`. | Yes, for [JWT profile](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-jwt.html) authentication | | `client_id` | Uniquely identifies the application making the request. | Yes | | `client_secret` | The password for a confidential client; do not use with `cnf_key`. | Yes, when authenticating with [Form parameters (HTTP POST)](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-form.html) | | `cnf_key` | A base64-encoded JSON Web Key (JWK); do not use with `client_secret`. | Yes, for [JWK-based proof-of-possession](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-PoP-JWK.html) | | `code` | A string holding the authorization code for an authorization code grant. | Yes, when `grant_type=authorization_code` | | `code_verifier` | A random string correlating a PKCE authorization request with the token request. | Yes, for flows with PKCE | | `device_code` | A string holding the device code requested from the user for a device flow. | Yes, when `grant_type=urn:ietf:params:oauth:grant-type:device_code` | | `grant_type` | A string specifying the type of grant to acquire an access token. | Yes | | `password` | A string holding the resource owner password for the [Resource owner password credentials grant](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-ropc-grant.html). | Yes, when `grant_type=password` | | `redirect_uri` | The URI to return the resource owner to after authorization is complete. | Yes, when `grant_type=authorization_code` and it was included earlier in the flow | | `refresh_token` | The refresh to get a new access token. | Yes, for [Refresh tokens](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-refresh-tokens.html) | | `requested_token_type` | The type of token requested in exchange. | No, but recommended for [Token exchange](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/token-exchange.html) | | `scope` | The scopes linked to the permissions requested by the client from the resource owner. | No | | `subject_token` | The original token to exchange. | Yes, for [Token exchange](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/token-exchange.html) | | `subject_token_type` | The type of subject token. | Yes, for [Token exchange](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/token-exchange.html) | | `username` | A string holding the resource owner username for the [Resource owner password credentials grant](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-ropc-grant.html). | Yes, when `grant_type=password` |