Create Access Token
Create an access token.
Authorizations
Click the Get Token button below to log in with your Authlete account and retrieve an access token for API access.
Path Parameters
A service ID.
Body
The grant type of the access token when the access token was created.
AUTHORIZATION_CODE, IMPLICIT, PASSWORD, CLIENT_CREDENTIALS, REFRESH_TOKEN, CIBA, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER The ID of the client application which will be associated with a newly created access token.
The subject (= unique identifier) of the user who will be associated with a newly created access
token. This parameter is required unless the grant type is CLIENT_CREDENTIALS. The value must
consist of only ASCII characters and its length must not exceed 100.
The scopes which will be associated with a newly created access token. Scopes that are not supported by the service cannot be specified and requesting them will cause an error.
The duration of a newly created access token in seconds. If the value is 0, the duration is determined according to the settings of the service.
The duration of a newly created refresh token in seconds. If the value is 0, the duration is determined according to the settings of the service.
A refresh token is not created (1) if the service does not support REFRESH_TOKEN, or (2) if the
specified grant type is either IMPLICITor CLIENT_CREDENTIALS.
Extra properties to associate with a newly created access token. Note that properties parameter
is accepted only when the HTTP method of the request is POST and Content-Type of the request is
application/json, so don't use GET method or application/x-www-form-urlencoded if you want
to specify properties.
A boolean request parameter which indicates whether to emulate that the client ID alias is used instead of the original numeric client ID when a new access token is created.
This has an effect only on the value of the aud claim in a response from UserInfo endpoint.
When you access the UserInfo endpoint (which is expected to be implemented using Authlete's
/api/auth/userinfo API and /api/auth/userinfo/issue API) with an access token which has been
created using Authlete's /api/auth/token/create API with this property (clientIdAliasUsed)
true, the client ID alias is used as the value of the aud claim in a response from the UserInfo
endpoint.
Note that if a client ID alias is not assigned to the client when Authlete's /api/auth/token/create
API is called, this property (clientIdAliasUsed) has no effect (it is always regarded as false).
The value of the new access token.
The /api/auth/token/create API generates an access token. Therefore, callers of the API do not
have to specify values of newly created access tokens. However, in some cases, for example, if
you want to migrate existing access tokens from an old system to Authlete, you may want to specify
values of access tokens. In such a case, you can specify the value of a newly created access token
by passing a non-null value as the value of accessToken request parameter. The implementation
of the /api/auth/token/create uses the value of the accessToken request parameter instead of
generating a new value when the request parameter holds a non-null value.
Note that if the hash value of the specified access token already exists in Authlete's database,
the access token cannot be inserted and the /api/auth/token/create API will report an error.
The value of the new refresh token.
The /api/auth/token/create API may generate a refresh token. Therefore, callers of the API do
not have to specify values of newly created refresh tokens. However, in some cases, for example,
if you want to migrate existing refresh tokens from an old system to Authlete, you may want to
specify values of refresh tokens. In such a case, you can specify the value of a newly created
refresh token by passing a non-null value as the value of refreshToken request parameter. The
implementation of the /api/auth/token/create uses the value of the refreshToken request parameter
instead of generating a new value when the request parameter holds a non-null value.
Note that if the hash value of the specified refresh token already exists in Authlete's database,
the refresh token cannot be inserted and the /api/auth/token/create API will report an error.
Get whether the access token expires or not. By default, all access tokens expire after a period of time determined by their service.
If this request parameter is true, then the access token will not automatically expire and must
be revoked or deleted manually at the service. If this request parameter is true, the accessTokenDuration
request parameter is ignored.
The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate with the corresponding value MUST be presented with the access token when it is used by a client. The value of this property must be a SHA256 certificate thumbprint, base64url encoded.
The thumbprint of the public key used for DPoP presentation of this token. If this property is
set, a DPoP proof signed with the corresponding private key MUST be presented with the access
token when it is used by a client. Additionally, the token's token_type will be set to 'DPoP'.
The authorization details. This represents the value of the authorization_details
request parameter in the preceding device authorization request which is defined in
"OAuth 2.0 Rich Authorization Requests".
The value of the resources to associate with the token. This property represents the value of
one or more resource request parameters which is defined in "RFC8707 Resource Indicators for
OAuth 2.0".
the flag which indicates whether the access token is for an external attachment.
Additional claims that are added to the payload part of the JWT access token.
The Authentication Context Class Reference of the user authentication that the authorization server performed during the course of issuing the access token.
The time when the user authentication was performed during the course of issuing the access token.
Flag which indicates whether the entity ID of the client was used when the request for the access token was made.
The client Identifier associated with the newly issued access token.
The session ID, which is the ID of the user's authentication session, associated with a newly created access token.
Response
The code which represents the result of the API call.
A short message which explains the result of the API call.
The next action that the authorization server implementation should take.
INTERNAL_SERVER_ERROR, INVALID_CLIENT, BAD_REQUEST, PASSWORD, OK, TOKEN_EXCHANGE, JWT_BEARER The content that the authorization server implementation is to return to the client application.
Its format varies depending on the value of action parameter.
The value of username request parameter in the token request.
The client application must specify username when it uses Resource Owner Password Grant.
In other words, when the value of grant_type request parameter is password, username request parameter must come along.
This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.
The value of password request parameter in the token request.
The client application must specify password when it uses Resource Owner Password Grant.
In other words, when the value of grant_type request parameter is password, password request parameter must come along.
This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.
The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.
This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.
The newly issued access token.
The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
The duration of the newly issued access token in seconds.
The newly issued refresh token.
The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
The duration of the newly issued refresh token in seconds.
The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter
of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.
The grant type of the token request.
The client ID.
The client ID alias when the token request was made. If the client did not have an alias, this parameter is null.
Also, if the token request was invalid and it failed to identify a client, this parameter is null.
The flag which indicates whether the client ID alias was used when the token request was made.
true if the client ID alias was used when the token request was made.
The subject (= resource owner's ID) of the access token.
Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was
Client Credentials Flow (grant_type=client_credentials) because it means the access token
is not associated with any specific end-user.
The scopes covered by the access token.
The extra properties associated with the access token.
This parameter is null when no extra property is associated with the issued access token.
The newly issued access token in JWT format. If the authorization server is configured
to issue JWT-based access tokens (= if the service's accessTokenSignAlg value is a
non-null value), a JWT-based access token is issued along with the original random-string
one.
The resources specified by the resource request parameters in the token request.
See "Resource Indicators for OAuth 2.0" for details.
The target resources of the access token being issued. See "Resource Indicators for OAuth 2.0" for details.
The authorization details. This represents the value of the authorization_details
request parameter in the preceding device authorization request which is defined in
"OAuth 2.0 Rich Authorization Requests".
The attributes of this service that the client application belongs to.
The attributes of the client.
The client authentication method that was performed at the token endpoint.
the value of the grant_id request parameter of the device authorization request.
The grant_id request parameter is defined in
Grant Management for OAuth 2.0
, which is supported by Authlete 2.3 and newer versions.
The audiences on the token exchange request
The grant type of the access token when the access token was created.
urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:access_token, urn:ietf:params:oauth:token-type:refresh_token, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:oauth:token-type:saml1, urn:ietf:params:oauth:token-type:saml2, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER The grant type of the access token when the access token was created.
urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:access_token, urn:ietf:params:oauth:token-type:refresh_token, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:oauth:token-type:saml1, urn:ietf:params:oauth:token-type:saml2, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER The grant type of the access token when the access token was created.
urn:ietf:params:oauth:token-type:jwt, urn:ietf:params:oauth:token-type:access_token, urn:ietf:params:oauth:token-type:refresh_token, urn:ietf:params:oauth:token-type:id_token, urn:ietf:params:oauth:token-type:saml1, urn:ietf:params:oauth:token-type:saml2, DEVICE_CODE, TOKEN_EXCHANGE, JWT_BEARER For RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
Indicate whether the previous refresh token that had been kept in the database for a short time was used
The entity ID of the client.
Flag which indicates whether the entity ID of the client was used when the request for the access token was made.
Duration of the c_nonce in seconds.
Get the expected nonce value for DPoP proof JWT, which should be used
as the value of the DPoP-Nonce HTTP header.
Get the c_nonce.
Get the time at which the c_nonce expires in milliseconds since
the Unix epoch (1970-01-01).
Get the names of the claims that the authorization request (which resulted in generation of the access token) requested to be embedded in ID tokens.
Scopes associated with the refresh token.
The session ID, which is the ID of the user's authentication session, associated with a newly created access token.
If the response from the /auth/token API contains the deviceSecret parameter, its value should
be used as the value of this deviceSecret request parameter to the /nativesso API. The authorization
server may choose to issue a new device secret; in that case, it is free to generate a new device
secret and specify the new value.
If the response from the /auth/token API does not contain the deviceSecret parameter, or
if its value is invalid, the authorization server must generate a new device secret and specify
it in the deviceSecret parameter to the /nativesso API.
The specified value is used as the value of the device_secret property in the token response.
The authorization server should compute the hash value of the device secret based on its own logic
and specify the computed hash as the value of this deviceSecretHash request parameter to the
/nativesso API.
When the deviceSecretHash parameter is omitted, the implementation of the /nativesso API
generates the device secret hash by computing the SHA-256 hash of the device secret and encoding
it with base64url. Note that this hash computation logic is not a rule defined in the Native SSO
specification; rather, it is Authlete-specific fallback logic used when the deviceSecretHash
parameter is omitted.