Exchange client credentials for an access token
RFC 6749 §4.4 client_credentials grant. Accepts the client id and secret either in the request body or via HTTP Basic auth, plus an optional space-separated `scope` parameter. The minted token is a bearer string prefixed with `oat_` and expires in one hour. Refresh tokens are not issued for this grant — request a new one when the previous expires.
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
curl -X POST "https://example.com/oauth/token" \ -H "Content-Type: application/json" \ -d '{}'{ "access_token": "oat_aG93ZHkgcGFydG5lcg", "token_type": "Bearer", "expires_in": 3600, "scope": "cms:read brand:read"}{ "error": "string", "error_description": "string"}{ "error": "string", "error_description": "string"}Delete an OAuth application DELETE
Previous Page
Introspect an access token (RFC 7662) POST
Returns metadata about an access token (or {active: false} for an unknown, expired, or revoked token). The OAuth application must authenticate either via HTTP Basic or via client_id/client_secret in the body — the same credentials that minted the token.