- URL:
- https://[root]/oauth2/token
- Methods:
GET
Example usage
https://www.arcgis.com/sharing/rest/oauth2/token
Description
The first step of an authorization grant is the authorization, and the access token step of that flow is described below. In addition to issuing user access tokens as part of the authorization grant, this end point can also be used to refresh access tokens and issue application tokens. The overall OAuth2 authentication flow is described in Authentication.
The type of token issued is based on the grant
parameter as follows:
authorization
_code client
_credentials exchange
_refresh _token refresh
_token
The required request parameters vary based on the grant
as specified in the following table:
Grant type | Required parameters |
---|---|
|
|
|
|
|
|
|
|
Request parameters
Parameter | Details |
---|---|
(Required) | The ID of the registered application. This is also referred to as APPID. Example:
|
(Required) | The type of grant requested. The type of token issued is based on the
Example:
|
(Required when | The secret of the registered application. This is also referred to as APPSECRET. Example:
|
(Required when | The authorization code obtained as a result of the authorization step. Example:
|
(Required when | The URI specified during the authorization step. The URIs must match; otherwise, authorization will be rejected. Example:
|
(Required when | The Example:
|
| The code verifier for the PKCE request that was generated before the authorization request. If the verifier matches the expected value, the server issues an access token. Otherwise, the server responds with following error:
|
JSON Response example
{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"expires_in": 1800, // expiration in seconds from now
"username": "jsmith", //signed-in username
"ssl" :true, //Returned true for ArcGIS Online
"refresh_token": "GysTpIui-oxWTTIs" // ONLY returned when grant_type=authorization_code or grant_type=exchange_refresh_token
"refresh_token_expires_in": 604799 // expiration in seconds from now
}
Examples
This end point is used for all examples:
https://www.arcgis.com/sharing/rest/oauth2/token
grant_type=authorization_code
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=authorization_code&
redirect_uri=https://app.example.com/cb&
code=KIV31WkDhY6XIWXmWAc6U
PKCE flow
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=authorization_code&
redirect_uri=https://app.example.com/cb&
code=KIV31WkDhY6XIWXmWAc6U
code_verifier=fasdfads7645fassd33asddfasdf
grant_type=client_credentials
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=client_credentials&
client_secret=57e2f75cd56346bf9d5654c3338a1250
grant_type=exchange_refresh_token
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=exchange_refresh_token&
redirect_uri=https://app.example.com/cb&
refresh_token=GysTpIui-oxWTTIs
grant_type=refresh_token
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=refresh_token&
refresh_token=GysTpIui-oxWTTIs