# CreateOAuth2Token Grants permission to exchange an authorization code for OAuth 2.0 access token and refresh token that can be used to access AWS services from developer tools and applications. ## Request Syntax ``` POST /v1/token HTTP/1.1 Content-type: application/json { "clientId": "string", "code": "string", "codeVerifier": "string", "grantType": "string", "redirectUri": "string", "refreshToken": "string" } ``` ## URI Request Parameters The request does not use any URI parameters. ## Request Body The request accepts the following data in JSON format. ** [clientId](#API_dataplane-signin_CreateOAuth2Token_RequestSyntax) ** Client identifier which is unique to authorization server. Type: String Pattern: `arn:aws:signin:::devtools/(same-device|cross-device)` Required: Yes ** [code](#API_dataplane-signin_CreateOAuth2Token_RequestSyntax) ** The authorization code received from `/v1/authorize`. Required only when `grant_type=authorization_code`. Type: String Length Constraints: Minimum length of 1. Maximum length of 512. Required: No ** [codeVerifier](#API_dataplane-signin_CreateOAuth2Token_RequestSyntax) ** PKCE code verifier to prove possession of the original code challenge. Required only when `grant_type=authorization_code`. Type: String Length Constraints: Minimum length of 43. Maximum length of 128. Pattern: `[A-Za-z0-9\-._~]+` Required: No ** [grantType](#API_dataplane-signin_CreateOAuth2Token_RequestSyntax) ** Specifies the type of OAuth 2.0 grant being requested. Supported values: + `authorization_code` - Exchange an authorization code for token. + `refresh_token` - Use a refresh token to obtain new access token. Type: String Pattern: `(authorization_code|refresh_token)` Required: Yes ** [redirectUri](#API_dataplane-signin_CreateOAuth2Token_RequestSyntax) ** The redirect URI that must match the original authorization request. Required only when `grant_type=authorization_code`. Type: String Length Constraints: Minimum length of 1. Maximum length of 2048. Required: No ** [refreshToken](#API_dataplane-signin_CreateOAuth2Token_RequestSyntax) ** Required only when `grant_type=refresh_token`. Type: String Length Constraints: Minimum length of 1. Maximum length of 2048. Required: No ## Response Syntax ``` HTTP/1.1 200 Content-type: application/json { "accessToken": { "accessKeyId": "string", "secretAccessKey": "string", "sessionToken": "string" }, "expiresIn": number, "idToken": "string", "refreshToken": "string", "tokenType": "string" } ``` ## Response Elements If the action is successful, the service sends back an HTTP 200 response. The following data is returned in JSON format by the service. ** [accessToken](#API_dataplane-signin_CreateOAuth2Token_ResponseSyntax) ** The AWS access credentials. Type: [AccessToken](API_dataplane-signin_AccessToken.md) object ** [expiresIn](#API_dataplane-signin_CreateOAuth2Token_ResponseSyntax) ** The number of seconds until the access token expires. Type: Integer Valid Range: Minimum value of 1. Maximum value of 900. ** [idToken](#API_dataplane-signin_CreateOAuth2Token_ResponseSyntax) ** Contains user identity information. Present only in response when `grant_type=authorization_code`. Not included in token refresh responses Type: String Length Constraints: Minimum length of 1. Maximum length of 4096. ** [refreshToken](#API_dataplane-signin_CreateOAuth2Token_ResponseSyntax) ** Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk). Always present in responses (required for both flows). Type: String Length Constraints: Minimum length of 1. Maximum length of 2048. ** [tokenType](#API_dataplane-signin_CreateOAuth2Token_ResponseSyntax) ** Indicates that these are AWS SigV4 credentials. Value is `urn:aws:params:oauth:token-type:access_token_sigv4` for both flows. Type: String Pattern: `urn:aws:params:oauth:token-type:access_token_sigv4` ## Errors For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md). ** AccessDeniedException ** You do not have sufficient access to perform this action. HTTP Status Code: 400 ** InternalServerException ** The request processing has failed because of an unknown error, exception or failure with an internal server. HTTP Status Code: 500 ** TooManyRequestsError ** Indicates that the principal has exceeded the limit of requests to this API operation. HTTP Status Code: 429 ** ValidationException ** The request failed because it contains a syntax error. HTTP Status Code: 400 ## See Also For more information about using this API in one of the language-specific AWS SDKs, see the following: + [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/signin-2023-01-01/CreateOAuth2Token) + [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/signin-2023-01-01/CreateOAuth2Token)