/{customer_id}/login/token

Issues access, refresh, and identity tokens based on the requested grant type. 

Authentication

This endpoint requires Basic authentication. When configuring authentication, you must use the client ID of a confidential OpenID Connect (OIDC) client as your username and the client secret of that same OIDC client as your password. Attempting to access this endpoint by using a public OIDC client (which does not have a client secret) will result in an authentication error.

Methods

This endpoint supports the following methods:

  • POST
 

POST

Description

Issues access tokens and refresh tokens based on the requested grant type:

  • If the grant_type is set to authorization_code, an authorization code is exchanged for an access token, a refresh token, and an identity token.
  • If the grant_type is set to refresh_token, a refresh token is exchanged for a new access token.
  • If the grant_type is set to client_credentials, an access token is issued for the client based on its associated token policy.


Path Parameters

The path parameters that must be included in the request are listed in the following table:

Name Type Required Description

{customer_id}

string

Yes

Unique identifier of the customer requesting a token.


Request Parameters

The x-www-url-encoded parameters for the /{customer_id}/login/tokens endpoint include the following:

Name Type Description

grant_type

string

Specifies the type of authorization grant being requested. Allowed values are:

  • authorization_code. Indicates that you want to exchange an authorization code for an access token, a refresh token, and an identity token.
  • refresh_token. Indicates that you want to exchange a refresh token for a new access token.
  • client_credentials. Requests an access token to be issued based on the client’s token policy.

code

string

The authorization code being exchanged. This parameter is required when using the following grant types:

  • authorization_code

refresh_token

The refresh token being exchanged. This parameter is required when using the following grant types:

  • refresh_token

code_verifier

Required if you are using PKCE (Proof Key for Code Exchange) and your original authorization request includes the code_challenge parameter. The code_verifier value must be the same value used to generate the initial code challenge. This parameter is required when using the following grant types:

  • authorization_code (PKCE requests-only)

redirect_uri

URL of the page the user will be redirected to following the token exchange. This parameter is required when using the following grant types:

  • authorization_code

scope

The value specified must match the scopes requested in the token policy associated with the OIDC configuration client. This parameter is required when using the following grant types:

  • client_credentials

client_id

Client secret of the OIDC client that made the initial authorization request. This parameter is required when using the following grant types:

  • authorization_code
  • refresh_token

client_secret

Client secret of the OIDC client that made the initial authorization request. This parameter is required when using the following grant types:

  • authorization_code (non-PKCE requests only)


Sample Request (Curl): authorization_code Grant (non-PKCE)

The following command exchanges the authorization code K2MzvxY8nIRhNQYe for a set of tokens:


curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Authorization: Bearer RcaWTi0woO52rqZjlbApm2lL3Aokzd1bhCZZajX51aX4IQrH1Uj1D4ks9HfJtxoRI7HCsyNVoc6Qj4oBfuplftc7tMbR26eZHwtEqaw9RLMBeIJDvqvqyD4l' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d \'
grant_type=authorization_code\
&redirect_uri=https%3A%2F%2Fdocumentation.akamai.com\
&code=K2MzvxY8nIRhNQYe\
&client_id=9e7f2429-496d-4437-b516-048472613cf9
'


Sample Request (Curl): authorization_code Grant (PKCE)

The following command uses the PKCE flow to exchange the authorization code K2MzvxY8nIRhNQYe for a set of tokens:


curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Authorization: Bearer RcaWTi0woO52rqZjlbApm2lL3Aokzd1bhCZZajX51aX4IQrH1Uj1D4ks9HfJtxoRI7HCsyNVoc6Qj4oBfuplftc7tMbR26eZHwtEqaw9RLMBeIJDvqvqyD4l' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d \'
grant_type=authorization_code\
&client_id=9e7f2429-496d-4437-b516-048472613cf9\
&redirect_uri=https%3A%2F%2Fdocumentation.akamai.com\
&code=K2MzvxY8nIRhNQYe\
&code_verifier=AdleUo9ZVcn0J7HkXOdzeqN6pWrW36K3JgVRwMW8BBQazEPV3kFnHyWIZi2jt9gA\
'


Sample Request (Curl): refresh_token Grant

The following command exchanges the refresh token iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU for an access token:


curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Authorization: Bearer RcaWTi0woO52rqZjlbApm2lL3Aokzd1bhCZZajX51aX4IQrH1Uj1D4ks9HfJtxoRI7HCsyNVoc6Qj4oBfuplftc7tMbR26eZHwtEqaw9RLMBeIJDvqvqyD4l' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d \'
grant_type=refresh_token\
&refresh_token=iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU\
&client_id=9e7f2429-496d-4437-b516-048472613cf9\
'


Sample Request (Curl): client_credentials Grant

The following command requests an access token for use with the Configuration APIs:


curl -X POST \
 https://v1.api.us.janrain.com/00000000-0000-0000-0000-000000000000/login/token \
  -H 'Authorization: Basic YTIyYzk2MDQtN2IyNy00NjRmLWJmZjUtODNiYTIyOTMyM2FmOmVJbTVnYkQ0QjF3NEswNGVYYUJ6dDVSRnhTaGMzcG1D' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d \'
grant_type=client_credentials\
&scope=:config/**\
'


Responses

200 OK

If your call to this endpoint succeeds, and depending on the type of grant you’ve requested, you'll get back a response that includes an access token, a refresh token, and an identity token:

{
   "access_token": "5na7KhMcUqnpoVDCRBX5na7Lwgh7L6qOaAlb1r2r_VKcemGgbh634rv261zbghfg6t",
   "refresh_token": "iTsA4i2Px4TEzBrfLIvddjnDVBJxjPDuCARHH_Xk7EzdpGq5GPQcsxCWM2SxdlwU",
   "expires_in": 3600,
   "token_type": "Bearer",
   "scope": "email openid profile",
   "id_token": "kyJhbGciOiJSUzI1NiIsImtpZCI6ImE5NjRhNjE3YTc0YjZjZWNlMDM4NTdkYWExZThlMTQ0ZDExMTMyY
TkiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiV1Y0STlVbjFWSi96Q25iRHVoWndIUSIsImF1ZCYwNC03YjI3LTQ2NGYtYmZ
mNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3MjEzLCJleHAiOjE1NTMwMzA4MzksImdsb2JhbF9zdWIiOiJj
YXB0dXJlLXYxOi8vYjI3LTQ2NGYtYmZmNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3bm5qZXl6eXJydDJub
TVkcmY1bmtuOC91c2VyLzc5OGQ2NTQwLWExYTYtNDFiNS1iZjcxLTg1YjY5NDFkY2E4MCIsImlhdCI6MTU1MzAyNzIzOSwiaX
NzIjoiaHR0cHM6Ly9hcGkubXVsdGkuZGV2Lm9yLmphbnJhaW4uY29tLzAwMDAwMDAwLTAwMDAtMzAwYjI3LTQ2NGYtYmZmNS0
4M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNTUzMDI3NDFiNS1iZjcxLTg1YjY5NDFkY2E4MCJ9.TRaDPi2_a0Z2s6MYh3L
QEyTU5UkR1el6w_waPFeV2hZgv10pDHu6xVrAZUZwErU0_mSDbe9bJo5I_yuecgXZ_4Q1WNV0Z4zhTJT9ycpNeSwgPQcDGddh
8J1ybI0Rg6yM54OOcf6o_shqrQMGiiFirm9GrtPYjI3LTQ2NGYtYmZmNS04M2JhMjI5MzIzYWYiXSwiYXV0aF90aW1lIjoxNT
UzMDI319S83qGyLStH5db06iVjFahdNex0w39uQSHlTf7Ay0Acb0JOtMOk7JUC406wT5WT5Jz1qGV2q_ChvxdUCCnd2Vp8lNb
a3AyznkehABHeISkNYtJ6BKigQ"
}

Response Codes

The following table includes information about some of the response codes that you might encounter when calling this endpoint.

Response Code Description

400

Invalid_grant. Typically occurs if you pass an invalid authorization code or if the authorization code has expired. Authorization codes are valid only for a few minutes.