CreateOAuth2Token
Grants permission to exchange an authorization code for OAuth 2.0 access token and refresh token that can be used to access AWS services from developer tools and applications.
Request Syntax
POST /v1/token HTTP/1.1
Content-type: application/json
{
"clientId": "string",
"code": "string",
"codeVerifier": "string",
"grantType": "string",
"redirectUri": "string",
"refreshToken": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- clientId
Client identifier which is unique to authorization server.
Type: String
Pattern:
arn:aws:signin:::devtools/(same-device|cross-device)Required: Yes
- code
The authorization code received from
/v1/authorize. Required only whengrant_type=authorization_code.Type: String
Length Constraints: Minimum length of 1. Maximum length of 512.
Required: No
- codeVerifier
PKCE code verifier to prove possession of the original code challenge. Required only when
grant_type=authorization_code.Type: String
Length Constraints: Minimum length of 43. Maximum length of 128.
Pattern:
[A-Za-z0-9\-._~]+Required: No
- grantType
Specifies the type of OAuth 2.0 grant being requested. Supported values:
authorization_code- Exchange an authorization code for token.refresh_token- Use a refresh token to obtain new access token.
Type: String
Pattern:
(authorization_code|refresh_token)Required: Yes
- redirectUri
The redirect URI that must match the original authorization request. Required only when
grant_type=authorization_code.Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
- refreshToken
Required only when
grant_type=refresh_token.Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"accessToken": {
"accessKeyId": "string",
"secretAccessKey": "string",
"sessionToken": "string"
},
"expiresIn": number,
"idToken": "string",
"refreshToken": "string",
"tokenType": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- accessToken
The AWS access credentials.
Type: AccessToken object
- expiresIn
The number of seconds until the access token expires.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 900.
- idToken
Contains user identity information. Present only in response when
grant_type=authorization_code. Not included in token refresh responsesType: String
Length Constraints: Minimum length of 1. Maximum length of 4096.
- refreshToken
Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk). Always present in responses (required for both flows).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
- tokenType
Indicates that these are AWS SigV4 credentials. Value is
urn:aws:params:oauth:token-type:access_token_sigv4for both flows.Type: String
Pattern:
urn:aws:params:oauth:token-type:access_token_sigv4
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- InternalServerException
The request processing has failed because of an unknown error, exception or failure with an internal server.
HTTP Status Code: 500
- TooManyRequestsError
Indicates that the principal has exceeded the limit of requests to this API operation.
HTTP Status Code: 429
- ValidationException
The request failed because it contains a syntax error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
