Exchange authorization code for access token
This endpoint is used to exchange an authorization code or a pre-authorized code for an access token, which is later used to request a credential.
- In an Authorization Code flow the authorization code is obtained from the authorization endpoint after the user has successfully authenticated.
- In a Pre-authorized Code flow the pre-authorized code is obtained from the offer URI.
See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint for more information.
Analytics Events
/v1/oauth/tokenHeader Parameters
DPoP proof JWT. A signed JWT that demonstrates proof-of-possession of a private key.
DPoP support is currently offered as a tech preview. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.
When to use:
- Token endpoint: Required when
dpop_jktwas provided in the authorization request - Credential endpoint: Required when using DPoP-bound access tokens (Authorization header must use format:
Authorization: DPoP <access_token>)
The DPoP proof must be a signed JWT with the following structure:
Header:
alg: Must beES256typ: Must bedpop+jwtjwk: Public key (JWK format)
Payload:
htu: HTTP URI of the target endpointhtm: HTTP method (e.g.,POST)jti: Unique identifier for this DPoP proofiat: Unix timestamp when the DPoP proof was createdath: Optional base64url-encoded SHA-256 hash of theaccess_token. Required when authenticating with the resource server.htcd: Optional base64-encoded SHA-256 hash (content digest) of the HTTP request payload used to validate integrity.
Each DPoP proof must be unique and cannot be reused across requests.
JWT generated by the Client Attester (Backend) attesting to a validated Client Instance and bound to a key managed by the Client Instance, ensuring proof of possession.
Client Attestation support is currently offered as a tech preview. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.
When to use:
- When client attestation is configured for this client_id
Header:
alg: Must beES256typ: Must beoauth-client-attestation+jwtx5c: Must be an array of base64 encoded X509 End-Entity certificates bound to the configured client attestation root certificate.
Payload:
sub: OAuth client_id matching the requestclient_instance_id: Optional identifier to represent the client/app instance.iat: Unix timestamp when the token was createdexp: Unix timestamp when the token will expirecnf.jwk: JWK public key from the client instance that the authorization server uses to verify the signature of subsequent DPoP or PoP proofs.
Request Body
application/x-www-form-urlencoded
The client identifier.
The grant type, which must be 'authorization_code'.
"authorization_code"The redirect URI that was used in the authorization request.
The authorization code obtained from the authorization endpoint.
SHA256 hash of the code_challenge in the authorization request.
Response Body
application/json
application/json
text/plain
curl -X POST "https://example.vii.au01.mattr.global/v1/oauth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'client_id=string&grant_type=authorization_code&redirect_uri=string&code=string&code_verifier=string'{
"access_token": "KrrFP8GUeddJJtj7EF-4ugdvCl-dDdWwOqvAbvYsmfy",
"token_type": "Bearer",
"expires_in": 900,
"scope": "mso_mdoc:org.iso.18013.5.1.mDL"
}{
"code": "string",
"message": "string",
"details": [
{
"value": "string",
"msg": "Invalid value",
"param": "id",
"location": "body"
}
]
}"Unauthorized"How would you rate this page?