Xsolla-logo

Generate JWT

post/oauth2/token

Use this call:

  • To get a user JWT.
  • To refresh the JWT when it expires. Works only if scope=offline is passed in the registration or authentication call.
  • To get a server JWT. The user participation isn’t needed.

Usage of this call depends on the value of the grant_type parameter.

Request
Request Body schema: application/x-www-form-urlencoded
grant_type
required
string

The type of getting the JWT. Can be:

  • authorization_code to exchange the code received in the authentication call to the JWT. The value of the code parameter must be specified.
  • refresh_token to get the refreshed JWT when the previous value is expired. The value of the refresh_token parameter must be specified.
  • client_credentials to get the server JWT. The values of the client_id and client_secret parameters must be specified.
client_id
required
string

Your application ID. The value for this parameter depends on the value of the grant_type parameter:

Note that values for client_secret and client_id parameters should be used from the same client.

refresh_token
string

Value of this parameter received in the response to the last request of this call with authorization_code or refresh_token values in the grant_type parameter. Required if grant_type=refresh_token.

client_secret
string

Your secret key. The value for this parameter depends on the value of the grant_type parameter:

  • If it’s authorization_code, create an OAuth 2.0 client and use its secret key. Required if you created an OAuth 2.0 client with confidential authentication type.
  • If it’s client_credentials, contact your Customer Success Manager to create a server OAuth 2.0 client and get its secret key. Required for this client type.

Note that values for client_secret and client_id parameters should be used from the same client.

redirect_uri
string
code
string

Authentication code that is exchanged to a JWT. Required if grant_type=authorization_code.

code_verifier
string

The code verifier for the PKCE request, that the app originally generated before the authorization request.

Responses
200

OK

400

Bad Request

404

Not Found

418

I’m a teapot

422

Unprocessable Entity

429

Too Many Requests

Request samples
application/x-www-form-urlencoded
refresh_token=string&grant_type=string&client_secret=string&client_id=string&redirect_uri=string&code=string&code_verifier=string
Response samples
application/json
{
  • "access_token": "2YotnFZFEjr1zCsicMWpAA",
  • "expires_in": 3600,
  • "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  • "scope": "email user_profile",
  • "token_type": "bearer"
}