Getting access tokens with the authorization code grant

Instructions for getting access tokens with the authorization code grant flow.

Login as admin in Swagger UI

  1. Go to https://localhost:8443/api/swagger/default.

  2. Select Authorize.

  3. Enter the following values in the form:

    Key Value
    client_id admin-swagger
    client_secret n8HF35qzZkmsukHJzzz9LnN8m9Mf97uq
  4. Select Authorize.

  5. Select Close.

Create the client

  1. Select POST /api/admin/{tid}/clients API.

  2. Select Try it out.

  3. Enter default as tid (tenant ID).

  4. Use the following json as the body:

        "authorization_server_id": "default",
        "client_id": "client",
        "client_secret": "wPeimtcljkdBeG19Xc3OXD41iZo0zxdg",
        "client_name": "My app",
        "grant_types": [
        "redirect_uris": [
        "response_types": [
        "scopes": [
  5. Select Execute.

Make the authorize request

  • Your application initializes a redirect in the browser to the following URL:

  • The user authenticates and approves the access to the data on the consent page.


    To test the authentication, you can use the user:user credentials.

Exchange the authorization code

  • Once the user has granted the access to application, the authorization server makes a redirect to the requested redirect_uri with the authorization code in the query parameter.
  • Your application exchanges the authorization code for the access and ID tokens.

    curl -X POST -k https://localhost:8443/default/default/oauth2/token \
    -u "client:wPeimtcljkdBeG19Xc3OXD41iZo0zxdg" \
    -H "Content-type: application/x-www-form-urlencoded" \
    -d "grant_type=authorization_code&"

Expected response

   "access_token": "..",
   "expires_in": 3600,
   "id_token": "..",
   "scope": "openid",
   "token_type": "bearer"