Skip to main content
POST
/
api
/
{serviceId}
/
auth
/
token
/
issue
curl
curl -v -X POST https://us.authlete.com/api/21653835348762/auth/token/issue \
-H 'Content-Type: application/json' \
-u 'Authorization: Bearer V5a40R6dWvw2gMkCOBFdZcM95q4HC0Z-T0YKD9-nR6F' \
-d '{ "ticket": "p7SXQ9JFjng7KFOZdCMBKcoR3ift7B54l1LGIgQXqEM", "subject": "john" }'
{
  "resultCode": "A054001",
  "resultMessage": "[A054001] The token request (grant_type=password) was processed successfully.",
  "accessToken": "OthV6TlZ2pPUtlBBvBSGFYzSdgVy87SSIPz2Zjwi-m0",
  "accessTokenDuration": 3600,
  "accessTokenExpiresAt": 1640331371876,
  "action": "OK",
  "clientAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "clientId": 26478243745571,
  "clientIdAlias": "my-client",
  "clientIdAliasUsed": false,
  "refreshToken": "ICPN0-sG3BH4szqiNqaFHZrWUGt7e0zaPuhys3ejQow",
  "refreshTokenDuration": 3600,
  "refreshTokenExpiresAt": 1640331371876,
  "responseContent": "{\\\"access_token\\\":\\\"OthV6TlZ2pPUtlBBvBSGFYzSdgVy87SSIPz2Zjwi-m0\\\",\\\"refresh_token\\\":\\\"ICPN0-sG3BH4szqiNqaFHZrWUGt7e0zaPuhys3ejQow\\\",\\\"scope\\\":null,\\\"token_type\\\":\\\"Bearer\\\",\\\"expires_in\\\":3600}",
  "serviceAttributes": [
    {
      "key": "attribute1-key",
      "value": "attribute1-value"
    },
    {
      "key": "attribute2-key",
      "value": "attribute2-value"
    }
  ],
  "subject": "john"
}

Authorizations

Authorization
string
header
required

Click the Get Token button below to log in with your Authlete account and retrieve an access token for API access.

Path Parameters

serviceId
string
required

A service ID.

Body

ticket
string
required

The ticket issued from Authlete /auth/token API.

subject
string
required

The subject (= unique identifier) of the authenticated user.

properties
object[]

Extra properties to associate with a newly created access token. Note that properties parameter is accepted only when Content-Type of the request is application/json, so don't use application/x-www-form-urlencoded if you want to specify properties.

jwtAtClaims
string

Additional claims that are added to the payload part of the JWT access token.

accessToken
string

The representation of an access token that may be issued as a result of the Authlete API call.

accessTokenDuration
integer<int64>

The duration (in seconds) of the access token that may be issued as a result of the Authlete API call.

When this request parameter holds a positive integer, it is used as the duration of the access token in. In other cases, this request parameter is ignored.

refreshTokenDuration
integer<int64>

The duration (in seconds) of the refresh token that may be issued as a result of the Authlete API call.

When this request parameter holds a positive integer, it is used as the duration of the refresh token in. In other cases, this request parameter is ignored.

Response

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take.

Available options:
INTERNAL_SERVER_ERROR,
INVALID_CLIENT,
BAD_REQUEST,
PASSWORD,
OK,
TOKEN_EXCHANGE,
JWT_BEARER
responseContent
string

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.

username
string

The value of username request parameter in the token request. The client application must specify username when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, username request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

password
string

The value of password request parameter in the token request. The client application must specify password when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, password request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

ticket
string

The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

accessToken
string

The newly issued access token.

accessTokenExpiresAt
integer<int64>

The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

accessTokenDuration
integer<int64>

The duration of the newly issued access token in seconds.

refreshToken
string

The newly issued refresh token.

refreshTokenExpiresAt
integer<int64>

The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

refreshTokenDuration
integer<int64>

The duration of the newly issued refresh token in seconds.

idToken
string

The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.

grantType
string

The grant type of the token request.

clientId
integer<int64>

The client ID.

clientIdAlias
string

The client ID alias when the token request was made. If the client did not have an alias, this parameter is null. Also, if the token request was invalid and it failed to identify a client, this parameter is null.

clientIdAliasUsed
boolean

The flag which indicates whether the client ID alias was used when the token request was made. true if the client ID alias was used when the token request was made.

subject
string

The subject (= resource owner's ID) of the access token. Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

scopes
string[]

The scopes covered by the access token.

properties
object[]

The extra properties associated with the access token. This parameter is null when no extra property is associated with the issued access token.

jwtAccessToken
string

The newly issued access token in JWT format. If the authorization server is configured to issue JWT-based access tokens (= if the service's accessTokenSignAlg value is a non-null value), a JWT-based access token is issued along with the original random-string one.

resources
string[]

The resources specified by the resource request parameters in the token request. See "Resource Indicators for OAuth 2.0" for details.

accessTokenResources
string[]

The target resources of the access token being issued. See "Resource Indicators for OAuth 2.0" for details.

authorizationDetails
object

The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in "OAuth 2.0 Rich Authorization Requests".

serviceAttributes
object[]

The attributes of this service that the client application belongs to.

clientAttributes
object[]

The attributes of the client.

clientAuthMethod
string

The client authentication method that was performed at the token endpoint.

grantId
string

the value of the grant_id request parameter of the device authorization request.

The grant_id request parameter is defined in Grant Management for OAuth 2.0 , which is supported by Authlete 2.3 and newer versions.

audiences
string[]

The audiences on the token exchange request

requestedTokenType
enum<string>

The grant type of the access token when the access token was created.

Available options:
urn:ietf:params:oauth:token-type:jwt,
urn:ietf:params:oauth:token-type:access_token,
urn:ietf:params:oauth:token-type:refresh_token,
urn:ietf:params:oauth:token-type:id_token,
urn:ietf:params:oauth:token-type:saml1,
urn:ietf:params:oauth:token-type:saml2,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER
subjectToken
string
subjectTokenType
enum<string>

The grant type of the access token when the access token was created.

Available options:
urn:ietf:params:oauth:token-type:jwt,
urn:ietf:params:oauth:token-type:access_token,
urn:ietf:params:oauth:token-type:refresh_token,
urn:ietf:params:oauth:token-type:id_token,
urn:ietf:params:oauth:token-type:saml1,
urn:ietf:params:oauth:token-type:saml2,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER
subjectTokenInfo
object
actorToken
string
actorTokenType
enum<string>

The grant type of the access token when the access token was created.

Available options:
urn:ietf:params:oauth:token-type:jwt,
urn:ietf:params:oauth:token-type:access_token,
urn:ietf:params:oauth:token-type:refresh_token,
urn:ietf:params:oauth:token-type:id_token,
urn:ietf:params:oauth:token-type:saml1,
urn:ietf:params:oauth:token-type:saml2,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER
actorTokenInfo
object
assertion
string

For RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

previousRefreshTokenUsed
boolean

Indicate whether the previous refresh token that had been kept in the database for a short time was used

clientEntityId
string

The entity ID of the client.

clientEntityIdUsed
boolean

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

cnonceDuration
integer<int64>

Duration of the c_nonce in seconds.

dpopNonce
string

Get the expected nonce value for DPoP proof JWT, which should be used as the value of the DPoP-Nonce HTTP header.

cnonce
string

Get the c_nonce.

cnonceExpiresAt
integer<int64>

Get the time at which the c_nonce expires in milliseconds since the Unix epoch (1970-01-01).

requestedIdTokenClaims
string[]

Get the names of the claims that the authorization request (which resulted in generation of the access token) requested to be embedded in ID tokens.

refreshTokenScopes
string[]

Scopes associated with the refresh token.

sessionId
string

The session ID, which is the ID of the user's authentication session, associated with a newly created access token.

deviceSecret
string

If the response from the /auth/token API contains the deviceSecret parameter, its value should be used as the value of this deviceSecret request parameter to the /nativesso API. The authorization server may choose to issue a new device secret; in that case, it is free to generate a new device secret and specify the new value.

If the response from the /auth/token API does not contain the deviceSecret parameter, or if its value is invalid, the authorization server must generate a new device secret and specify it in the deviceSecret parameter to the /nativesso API.

The specified value is used as the value of the device_secret property in the token response.

deviceSecretHash
string

The authorization server should compute the hash value of the device secret based on its own logic and specify the computed hash as the value of this deviceSecretHash request parameter to the /nativesso API.

When the deviceSecretHash parameter is omitted, the implementation of the /nativesso API generates the device secret hash by computing the SHA-256 hash of the device secret and encoding it with base64url. Note that this hash computation logic is not a rule defined in the Native SSO specification; rather, it is Authlete-specific fallback logic used when the deviceSecretHash parameter is omitted.