Fetch access token
This endpoint allows apps to fetch access tokens. For user apps, use this endpoint after the /authorize endpoint and the subsequent callback. For user apps this endpoint supports generation of access token from authorization code or from refresh token, sent in the previous authorize endpoint’s callback. For system apps this endpoint can directly be used to get an access token, no prior /authorize end point call is needed.
NOTE: Fetching a token for a system app via the browser on our developer portal WILL NOT WORK as browser requests to the token endpoint must use PKCE. Instead, send the request through a server side/native method and ensure the ‘Origin’ header isn’t present.
https://{customer_name}.login.fabric.inc
Headers
Required for user apps with authorization code flow without PKCE and for system apps. Basic authorization header should be created using the client ID and client secret of the app. The value should be derived as Basic base64encode(client_id:client_secret). Refer to https://datatracker.ietf.org/doc/html/rfc2617#section-2 for additional info.
Path Parameters
Use default for user app flows. For system apps, use the tenant-specific server ID provided by fabric Identity (see Getting Started).
Body
Required for all authentication flows and app types. Set to authorization_code for user apps (for both authorization code flow with and without PKCE). Set to client_credentials when using for system apps.
authorization_code, client_credentials Required only for user apps and authorization code flow with PKCE.
Required only for user apps and authorization code flow with PKCE.
Required for user apps with both authorization code flow with and without PKCE. URL encoded redirect_uri sent by the user app in the previous /authorize call.
Required only for user apps and authorization code flow with PKCE. Code verifier using for deriving the code_challenge sent in the /authorize call. Refer to https://datatracker.ietf.org/doc/html/rfc7636#section-4.2 for more details
Required for user apps with both authorization code flow with and without PKCE. Authorization code received as part of the callback response to the /authorize call.
Required only for system apps. Value should always be set to s2s.
Response
Will always be set to Bearer
Describes the time in seconds in which the issued access token expires
The access token issued for the logged in user or the app itself. This access token should be used as a bearer token in the Authorization header of subsequent fabric API calls.
This token certifies that the user or app was indeed authenticated successfully. However, this token isn't to be used when invoking fabric APIs, use access token instead.
Always set to openid profile email as part of the OpenID Connect standard.
Was this page helpful?