View a markdown version of this page

CreateOAuth2TokenWithIAM - AWS Sign-In

CreateOAuth2TokenWithIAM

Exchanges client credentials for an OAuth 2.0 access token scoped to a resource, which you can use to access AWS services from applications.

Implements the OAuth 2.0 client credentials grant. Applications authenticate to the token endpoint using SigV4 signing, and AWS Sign-In returns a short-lived OAuth access token (JWT) scoped to the requested resource.

The returned access token is a Bearer token per the OAuth 2.0 specification. The token is a JSON Web Token (JWT). Token lifetime is the minimum of the caller's session validity and 1 hour (3600 seconds).

Request Syntax

POST /v1/token?x-amz-client-auth-method=iam HTTP/1.1 Content-type: application/json { "grant_type": "string", "resource": "string" }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

grant_type

The OAuth 2.0 grant type. Must be client_credentials.

Type: String

Pattern: client_credentials

Required: Yes

resource

The OAuth resource for which the access token is requested. This identifies the target service that the token grants access to. To scope the access token down to the specific resource, the resource parameter is mandated under RFC 8707 (Resource Indicators for OAuth 2.0).

When using a dynamically registered client (DCR), the resource parameter is required.

Example: aws-mcp.amazonaws.com.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response Syntax

HTTP/1.1 200 Content-type: application/json { "access_token": "string", "expires_in": number, "token_type": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

access_token

JWT access token containing principal identity, resource scope, and session metadata. Use this token as a Bearer token when accessing the target resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

expires_in

Token lifetime in seconds. Value is the minimum of the caller's session validity and 1 hour (3600 seconds).

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 3600.

token_type

Always Bearer per OAuth 2.0 specification.

Type: String

Pattern: Bearer

Errors

For information about the errors that are common to all actions, see Common Error Types.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception or failure with an internal server.

HTTP Status Code: 500

TooManyRequestsError

Indicates that the principal has exceeded the limit of requests to this API operation.

HTTP Status Code: 429

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: