Token
- URL:
https://<oauth2-url>/token
Description
The Authentication topic describes the overall OAuth2 authentication flow. Authorization represents the first step of an authorization grant, and this topic describes the access token step of that flow. In addition to issuing user access tokens as part of the authorization grant, this end-point can also be used to refresh access tokens as well as to issue application tokens.
The type of token issued is based on the grant_type parameter as follows:
- grant_type=authorization_code—Issues a user access_token and refresh_token based on the authorization code obtained in the authorization step. Access tokens are usually short lived (typically 30 minutes). Apps can get a new access_token by using the refresh_token obtained with this grant.
- grant_type=refresh_token—Issues a new access_token by using the refresh_token obtained above.
- grant_type=client_credentials—Issues an app access_token for the client_id specified in the request.
- grant_type=exchange_refresh_token—Issues a new access_token and refresh_token by exchanging the old refresh_token obtained before. Old refresh_token will be invalidated upon issuing a new one. All the access_token obtained with the old refresh_token will also be invalidated. The newly exchanged refresh_token will have the same expiration minutes as the old one, the newly obtained access_token will have an expiration of 30 minutes.
The required request parameters vary based on the grant_type as specified in the following table:
|
grant_type |
Required parameters |
|---|---|
| authorization_code |
client_id, redirect_uri, code |
| refresh_token |
client_id, refresh_token |
| client_credentials |
client_id, client_secret |
| exchange_refresh_token | client_id, redirect_uri, refresh_token |
Request Parameters
|
Parameter |
Details |
|---|---|
|
client_id
(Required) |
The ID of the registered application. Also referred to as APPID. Example: client_id=GGjeDjEY6kKEiDmX |
|
grant_type
(Required) |
The type of grant requested. Values: authorization_code, refresh_token, client_credentials, exchange_refresh_token The type of token issued is based on the grant_type parameter as follows:
|
|
redirect_uri
(Required when grant_type=authorization_code or exchange_refresh_token) |
The URI specified during the authorization step. The URI must match; otherwise, authorization will be rejected. Example: redirect_uri=https://app.example.com/cb |
|
code
(Required when grant_type=authorization_code) |
The authorization code obtained as a result of the authorization step. Example: code=KIV31WkDhY6XIWXmWAc6U |
|
refresh_token
(Required when grant_type=token or exchange_refresh_token) |
The request_token obtained in response to grant_type=authorization_code. Example: refresh_token=GysTpIui-oxWTTIs |
|
client_secret
(Required when grant_type=client_credentials) |
The secret of the registered application. Also referred to as APPSECRET. Example: client_secret=57e2f75cd56346bf9d5654c3338a1250 |
Response
{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"expires_in": 1800, // expiration in seconds from now
"username": "jsmith", //signed in user name
"refresh_token": "GysTpIui-oxWTTIs" // ONLY returned when grant_type=authorization_code or exchange_refresh_token
}
Example Usage
For all examples, assume this endpoint:
https://www.arcgis.com/sharing/rest/oauth2/token
grant_type=authorization_code
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=authorization_code&
redirect_uri=https://app.example.com/cb&
code=KIV31WkDhY6XIWXmWAc6U
grant_type=refresh_token
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=refresh_token&
refresh_token=GysTpIui-oxWTTIs
grant_type=client_credentials
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=client_credentials&
client_secret=57e2f75cd56346bf9d5654c3338a1250
grant_type=exchange_refresh_token
Assume these parameters:
client_id=GGjeDjEY6kKEiDmX&
grant_type=exchange_refresh_token&
redirect_uri=https://app.example.com/cb&
refresh_token=GysTpIui-oxWTTIs