Exchanges an OAuth 2.0 authorization code for an access token (PKCE verification supported).

POST /token

Validates the client key, retrieves the cached authorization code, checks PKCE requirements, and generates a signed JWT access token. The authorization code is invalidated after use.

Errors: Returns 400 Bad Request if the client key, authorization code, or PKCE verification fails, or if the associated user is invalid.

Exchanges an OAuth 2.0 authorization code for an access token (PKCE verification supported).

/token

Request​

Responses​

Request

Responses