OAuth2 Token Endpoint
Overview
The OAuth2 token endpoint issues opaque (non-JWT) access tokens and refresh tokens. Tokens are validated server-side via introspection and revocation endpoints, rather than offline signature verification.
Endpoint
| Mode | Method | Endpoint |
|---|---|---|
| Manage From This Policy | POST | https://yourApinizerAddress/auth/token |
| Manage From ACL | POST | https://yourApinizerAddress/credential/token |
Request
Headers
| Header | Value | Required |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Yes |
| Authorization | Basic (base64-encoded credentials) | See below |
Authentication
Callers must authenticate using HTTP Basic authentication in the Authorization header:
Authorization: Basic base64(client_id:client_secret)
- In "Manage From This Policy" mode:
client_idandclient_secretare the application key and secret from the API proxy, proxy group, or policy group Overview section. - In "Manage From ACL" mode:
client_idandclient_secretare from the credential entity.
Alternatively, credentials can be sent in the request body (see below).
Request Body
The request body is sent as application/x-www-form-urlencoded with the following parameters:
client_credentials Grant Type
| Parameter | Type | Required | Description |
|---|---|---|---|
| grant_type | string | Yes | Must be client_credentials |
| client_id | string | Yes (if not in Authorization header) | The application key or credential client ID |
| client_secret | string | Yes (if not in Authorization header) | The application secret or credential client secret |
| scope | string | No | Space-separated list of requested scopes |
password Grant Type
| Parameter | Type | Required | Description |
|---|---|---|---|
| grant_type | string | Yes | Must be password |
| client_id | string | Yes (if not in Authorization header) | The application key or credential client ID |
| client_secret | string | Yes (if not in Authorization header) | The application secret or credential client secret |
| username | string | Yes | Username from the selected authentication pool |
| password | string | Yes | Password from the selected authentication pool |
| scope | string | No | Space-separated list of requested scopes |
refresh_token Grant Type
| Parameter | Type | Required | Description |
|---|---|---|---|
| grant_type | string | Yes | Must be refresh_token |
| client_id | string | Yes (if not in Authorization header) | The application key or credential client ID |
| client_secret | string | Yes (if not in Authorization header) | The application secret or credential client secret |
| refresh_token | string | Yes | The refresh token value from a previous token response |
Example Request: client_credentials
curl -X POST \
"https://yourApinizerAddress/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic $(echo -n 'your-app-key:your-app-secret' | base64)" \
-d "grant_type=client_credentials"
Or using the request body:
curl -X POST \
"https://yourApinizerAddress/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=your-app-key&client_secret=your-app-secret"
Example Request: password Grant
curl -X POST \
"https://yourApinizerAddress/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&client_id=your-app-key&client_secret=your-app-secret&username=user1&password=user_password"
Example Request: refresh_token Grant
curl -X POST \
"https://yourApinizerAddress/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&client_id=your-app-key&client_secret=your-app-secret&refresh_token=the_refresh_token_value"
Response
Success Response (200 OK)
{
"access_token": "opaque_token_value_here",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "refresh_token_value_here",
"scope": "read write"
}
| Field | Type | Description |
|---|---|---|
| access_token | string | The issued OAuth2 opaque token |
| token_type | string | Always Bearer |
| expires_in | integer | Token expiration time in seconds |
| refresh_token | string | The refresh token (if refresh is enabled) |
| scope | string | Resolved scope for the token (if scope was requested and roles are configured) |
not
The scope field is only included in the response if scope was requested in the request body and the endpoint is configured to return it. This behavior is controlled by Token Management Settings.
Error Response (400 Bad Request)
{
"error": "invalid_grant",
"error_description": "The client_credentials are invalid or the user is not found."
}
Common error codes:
invalid_client— Authentication failed (invalid client_id or client_secret)invalid_grant— Grant type is not supported or credentials are invalidinvalid_scope— Requested scope is not available for this client
Related Pages
- JWT Token Endpoint — Issue JWT tokens instead
- Token Introspection — Check token validity
- Token Revocation — Revoke tokens
- Discovery & JWKS — Discover endpoints and public keys