CreateOAuth2TokenWithIAM
Exchanges client credentials for an OAuth 2.0 access token scoped to a resource, which you can use to access AWS services from applications.
Implements the OAuth 2.0 client credentials grant. Applications authenticate to the token endpoint using SigV4 signing, and AWS Sign-In returns a short-lived OAuth access token (JWT) scoped to the requested resource.
The returned access token is a Bearer token per the OAuth 2.0 specification. The token is a JSON Web Token (JWT). Token lifetime is the minimum of the caller's session validity and 1 hour (3600 seconds).
Request Syntax
POST /v1/token?x-amz-client-auth-method=iam HTTP/1.1
Content-type: application/json
{
"grant_type": "string",
"resource": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- grant_type
The OAuth 2.0 grant type. Must be
client_credentials.Type: String
Pattern:
client_credentialsRequired: Yes
- resource
The OAuth resource for which the access token is requested. This identifies the target service that the token grants access to. To scope the access token down to the specific resource, the resource parameter is mandated under RFC 8707 (Resource Indicators for OAuth 2.0).
When using a dynamically registered client (DCR), the resource parameter is required.
Example:
aws-mcp.amazonaws.com.rproxy.govskope.ca.Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: Yes
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"access_token": "string",
"expires_in": number,
"token_type": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- access_token
JWT access token containing principal identity, resource scope, and session metadata. Use this token as a Bearer token when accessing the target resource.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 4096.
- expires_in
Token lifetime in seconds. Value is the minimum of the caller's session validity and 1 hour (3600 seconds).
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 3600.
- token_type
Always
Bearerper OAuth 2.0 specification.Type: String
Pattern:
Bearer
Errors
For information about the errors that are common to all actions, see Common Error Types.
- AccessDeniedException
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- InternalServerException
The request processing has failed because of an unknown error, exception or failure with an internal server.
HTTP Status Code: 500
- TooManyRequestsError
Indicates that the principal has exceeded the limit of requests to this API operation.
HTTP Status Code: 429
- ValidationException
The request failed because it contains a syntax error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: