CreateOAuth2Token
Exchanges an authorization code or refresh token for an OAuth 2.0 access token and refresh token.
This operation accepts application/x-www-form-urlencoded requests
(RFC 6749 §4.1.3
Important
AWS
AWS CLI and AWS SDK clients use application/json as the content type
and receive a camelCase response. The accessToken field is an object containing
accessKeyId, secretAccessKey, and sessionToken
rather than an opaque Bearer JWT string.
Request Syntax
POST /v1/token HTTP/1.1
Content-type: application/json
{
"client_id": "string",
"code": "string",
"code_verifier": "string",
"grant_type": "string",
"redirect_uri": "string",
"refresh_token": "string",
"resource": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- client_id
The OAuth 2.0 client identifier. Expected values:
arn:aws:signin:::devtools/same-device,arn:aws:signin:::devtools/cross-device, orarn:aws:signin:{region}::external-client/dcr/{uuid}for dynamically registered clients.Type: String
Pattern:
arn:aws:signin:::devtools/(same-device|cross-device)$|^arn:aws:signin:[^:]*::external-client/dcr/.*Required: Yes
- code
The authorization code received from the
/v1/authorizeendpoint. Required whengrant_type=authorization_code.Type: String
Length Constraints: Minimum length of 1. Maximum length of 512.
Required: No
- code_verifier
The PKCE code verifier that proves possession of the original code challenge. Required when
grant_type=authorization_code.Type: String
Length Constraints: Minimum length of 43. Maximum length of 128.
Pattern:
[A-Za-z0-9\-._~]+Required: No
- grant_type
The OAuth 2.0 grant type. Supported values:
authorization_code— Exchange an authorization code for tokens.refresh_token— Use a refresh token to obtain a new access token.
Type: String
Pattern:
(authorization_code|refresh_token)Required: Yes
- redirect_uri
The redirect URI that was used in the original authorization request. Must match exactly. Required when
grant_type=authorization_code.Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
- refresh_token
The refresh token issued by a previous token response. Required when
grant_type=refresh_token.Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
- resource
The OAuth resource for which the access token is requested (RFC 8707
). Identifies the target service the token grants access to. Required for dynamically registered (DCR) clients.
Example:
https://aws-mcp.us-east-1.api.aws/mcp.Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"access_token": "string",
"expires_in": number,
"id_token": "string",
"refresh_token": "string",
"token_type": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- access_token
The access token issued by the authorization server. This is an opaque Bearer JWT string (prefix
ASOA). Use as aBearertoken in theAuthorizationheader when calling the target resource.Type: String
Length Constraints: Minimum length of 1. Maximum length of 4096.
- expires_in
The number of seconds until the access token expires. Maximum value is 900 seconds (15 minutes).
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 900.
- id_token
A JSON Web Token (JWT) containing user identity claims. Present only when
grant_type=authorization_code. Not included in refresh token responses.Type: String
Length Constraints: Minimum length of 1. Maximum length of 4096.
- refresh_token
An encrypted refresh token that can be used to obtain new access tokens without re-authenticating. Valid for up to 12 hours.
Each time a refresh token is used, a new refresh token is returned (token rotation). Always use the most recently issued refresh token for subsequent requests.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
- token_type
The type of token issued. Value is
Bearerper RFC 6749 §5.1.Type: String
Errors
For information about the errors that are common to all actions, see Common Error Types.
- AccessDeniedException
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- InternalServerException
The request processing has failed because of an unknown error, exception or failure with an internal server.
HTTP Status Code: 500
- TooManyRequestsError
Indicates that the principal has exceeded the limit of requests to this API operation.
HTTP Status Code: 429
- ValidationException
The request failed because it contains a syntax error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: