Request Syntax URI Request Parameters Request Body Response Syntax Response Elements Errors See Also

CreateOAuth2Token

Grants permission to exchange an authorization code for OAuth 2.0 access token and refresh token that can be used to access AWS services from developer tools and applications.

Request Syntax


POST /v1/token HTTP/1.1
Content-type: application/json

{
   "clientId": "string",
   "code": "string",
   "codeVerifier": "string",
   "grantType": "string",
   "redirectUri": "string",
   "refreshToken": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

clientId

Client identifier which is unique to authorization server.

Type: String

Pattern: arn:aws:signin:::devtools/(same-device|cross-device)

Required: Yes

code

The authorization code received from /v1/authorize. Required only when grant_type=authorization_code.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 512.

Required: No

codeVerifier

PKCE code verifier to prove possession of the original code challenge. Required only when grant_type=authorization_code.

Type: String

Length Constraints: Minimum length of 43. Maximum length of 128.

Pattern: [A-Za-z0-9\-._~]+

Required: No

grantType

Specifies the type of OAuth 2.0 grant being requested. Supported values:

authorization_code - Exchange an authorization code for token.
refresh_token - Use a refresh token to obtain new access token.

Type: String

Pattern: (authorization_code|refresh_token)

Required: Yes

redirectUri

The redirect URI that must match the original authorization request. Required only when grant_type=authorization_code.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

refreshToken

Required only when grant_type=refresh_token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

Response Syntax


HTTP/1.1 200
Content-type: application/json

{
   "accessToken": { 
      "accessKeyId": "string",
      "secretAccessKey": "string",
      "sessionToken": "string"
   },
   "expiresIn": number,
   "idToken": "string",
   "refreshToken": "string",
   "tokenType": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

accessToken

The AWS access credentials.

Type: AccessToken object

expiresIn

The number of seconds until the access token expires.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 900.

idToken

Contains user identity information. Present only in response when grant_type=authorization_code. Not included in token refresh responses

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

refreshToken

Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk). Always present in responses (required for both flows).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

tokenType

Indicates that these are AWS SigV4 credentials. Value is urn:aws:params:oauth:token-type:access_token_sigv4 for both flows.

Type: String

Pattern: urn:aws:params:oauth:token-type:access_token_sigv4

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception or failure with an internal server.

HTTP Status Code: 500

TooManyRequestsError

Indicates that the principal has exceeded the limit of requests to this API operation.

HTTP Status Code: 429

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400