Skip to main content
POST
/
api
/
{serviceId}
/
auth
/
token
/
create
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.token.management.create({
    serviceId: "<id>",
    tokenCreateRequest: {
      grantType: "AUTHORIZATION_CODE",
      clientId: 26888344961664,
      subject: "john",
      scopes: [
        "history.read",
        "timeline.read",
      ],
    },
  });

  console.log(result);
}

run();
{
  "resultCode": "A109001",
  "resultMessage": "[A109001] An access token was created successfully: authorization_code, client = 26888344961664",
  "accessToken": "Z5a40U6dWvw2gMoCOAFbZcM85q4HC0Z--0YKD9-Nf6Q",
  "action": "OK",
  "clientId": 26888344961664,
  "expiresAt": 1642048148973,
  "expiresIn": 3600,
  "grantType": "AUTHORIZATION_CODE",
  "refreshToken": "9beh15GWkGLseBBO1tPobnsGpKLHV3mTkm0EWnNBa4g",
  "scopes": [
    "history.read",
    "timeline.read"
  ],
  "subject": "john",
  "tokenType": "Bearer"
}

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

Body

grantType
enum<string>
required

The grant type of the access token when the access token was created.

Available options:
AUTHORIZATION_CODE,
IMPLICIT,
PASSWORD,
CLIENT_CREDENTIALS,
REFRESH_TOKEN,
CIBA,
DEVICE_CODE,
TOKEN_EXCHANGE,
JWT_BEARER,
PRE_AUTHORIZED_CODE
clientId
integer<int64>

The ID of the client application which will be associated with a newly created access token.

subject
string

The subject (= unique identifier) of the user who will be associated with a newly created access token. This parameter is required unless the grant type is CLIENT_CREDENTIALS. The value must consist of only ASCII characters and its length must not exceed 100.

scopes
string[]

The scopes which will be associated with a newly created access token. Scopes that are not supported by the service cannot be specified and requesting them will cause an error.

accessTokenDuration
integer<int64>

The duration of a newly created access token in seconds. If the value is 0, the duration is determined according to the settings of the service.

refreshTokenDuration
integer<int64>

The duration of a newly created refresh token in seconds. If the value is 0, the duration is determined according to the settings of the service.

A refresh token is not created (1) if the service does not support REFRESH_TOKEN, or (2) if the specified grant type is either IMPLICITor CLIENT_CREDENTIALS.

properties
object[]

Extra properties to associate with a newly created access token. Note that properties parameter is accepted only when the HTTP method of the request is POST and Content-Type of the request is application/json, so don't use GET method or application/x-www-form-urlencoded if you want to specify properties.

clientIdAliasUsed
boolean

A boolean request parameter which indicates whether to emulate that the client ID alias is used instead of the original numeric client ID when a new access token is created.

accessToken
string

The value of the new access token.

refreshToken
string

The value of the new refresh token.

accessTokenPersistent
boolean

Get whether the access token expires or not. By default, all access tokens expire after a period of time determined by their service.

If this request parameter is true, then the access token will not automatically expire and must be revoked or deleted manually at the service. If this request parameter is true, the accessTokenDuration request parameter is ignored.

certificateThumbprint
string

The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate with the corresponding value MUST be presented with the access token when it is used by a client. The value of this property must be a SHA256 certificate thumbprint, base64url encoded.

dpopKeyThumbprint
string

The thumbprint of the public key used for DPoP presentation of this token. If this property is set, a DPoP proof signed with the corresponding private key MUST be presented with the access token when it is used by a client. Additionally, the token's token_type will be set to 'DPoP'.

authorizationDetails
object

The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in "OAuth 2.0 Rich Authorization Requests".

resources
string<uri>[]

The value of the resources to associate with the token. This property represents the value of one or more resource request parameters which is defined in "RFC8707 Resource Indicators for OAuth 2.0".

forExternalAttachment
boolean

the flag which indicates whether the access token is for an external attachment.

jwtAtClaims
string

Additional claims that are added to the payload part of the JWT access token.

acr
string

The Authentication Context Class Reference of the user authentication that the authorization server performed during the course of issuing the access token.

authTime
integer<int64>

The time when the user authentication was performed during the course of issuing the access token.

clientEntityIdUsed
boolean

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

clientIdentifier
string

The client Identifier associated with the newly issued access token.

sessionId
string

The session ID, which is the ID of the user's authentication session, associated with a newly created access token.

metadataDocumentUsed
boolean

Flag indicating whether a metadata document was used to resolve client metadata for this request.

When true, the client metadata was retrieved via the OAuth Client ID Metadata Document (CIMD) mechanism rather than from the Authlete database.

Response

Token created successfully

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take.

Available options:
INTERNAL_SERVER_ERROR,
BAD_REQUEST,
FORBIDDEN,
OK
accessToken
string

The newly issued access token.

clientId
integer<int64>

The ID of the client application associated with the access token.

expiresAt
integer<int64>

The time at which the access token expires.

expiresIn
integer<int64>

The duration of the newly issued access token in seconds.

grantType
string

The grant type for the newly issued access token.

properties
object[]

The extra properties associated with the access token.

refreshToken
string

The newly issued refresh token.

scopes
string[]

Scopes which are associated with the access token.

subject
string

The subject (= unique identifier) of the user associated with the newly issued access token.

tokenType
string

The token type of the access token.

jwtAccessToken
string

If the authorization server is configured to issue JWT-based access tokens (= if Service.accessTokenSignAlg is set to a non-null value), a JWT-based access token is issued along with the original random-string one.

authorizationDetails
object

The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in "OAuth 2.0 Rich Authorization Requests".

forExternalAttachment
boolean

the flag which indicates whether the access token is for an external attachment.

tokenId
string

Set the unique token identifier.

refreshTokenScopes
string[]

The scopes associated with the refresh token. May be null.

clientIdentifier
string

The client Identifier that will be associated with a newly created access token.

sessionId
string

The session ID associated with a newly created access token.

NOTE: A refresh token must be associated with a session ID, which is the ID of the user's authentication session, in order to be used to obtain a Native SSO-compliant ID token in the refresh token flow.