When you send the POST request to the token endpoint, the endpoint validates the request parameters to ensure the authenticity and validity of the code. It checks factors such as the expiration of the code and whether it matches the client ID.If the validation process is successful, the token endpoint generates and returns the tokens in the response. The response may include the following parameters:access_token
: represents the access token that you can use to authenticate API calls on behalf of the user. Include this token in the authorisation header of subsequent API requests.
expires_in
: indicates the duration of the access token's validity, set to 3600 seconds (1 hour). After this time, the access token will expire, and you will need to refresh it using the refresh token if available.
token_type
: specifies the type of token being returned, which is usually set as "Bearer". This indicates that the token follows the OAuth 2.0 Bearer Token specification.
refresh_token
: if you have requested the "offline_access" scope during the authorisation process, the response may include a refresh token. This token can be used to refresh the access token once it has expired, ensuring continuity in API access without requiring repeated user authorisation.
- "access_token":"eyJhbGciOiJQUzI1NiIsImtpZCI6ImJiYTUzOWViOTVkNDQzNWE5NTUwNmI4NTdlYWNmZjhlIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2ODIzNDQwMTMsImV4cCI6MTY4MjM0NzYxMywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eWRldjA0LmFwcHJvdmFsbWF4LmNvbSIsImNsaWVudF9pZCI6IjMzOENENUUwQUJBNzQ0REI5MTE4MzhGOUY5QjA5Q0ZEIiwic3ViIjoiOTI1ODE4MDQtZjIwMi00YTg3LTkwYjEtYTRjOTY3N2I5MTQ2IiwiYXV0aF90aW1lIjoxNjgyMzMyODcyLCJpZHAiOiJBTVJlbW90ZSIsImh0dHBzOi8vd3d3LmFwcHJvdmFsbWF4LmNvbS9jb25uZWN0aW9uIjoiNGEyNTQxMDQtYjU4ZC00ZjJhLTgwNWEtNTk5ZWE4MTg0NmI5IiwianRpIjoiQjJBNEU2QjRDMkQyODk2Qjc2NUY1QTM2RUY5NzYyMzQiLCJzaWQiOiIwRTA1OTExNTUzQTBCNUEyQTYwNUFEQjBBMDlFOUYyRCIsImlhdCI6MTY4MjM0MzcxOCwic2NvcGUiOlsiaHR0cHM6Ly93d3cuYXBwcm92YWxtYXguY29tL3Njb3Blcy9wdWJsaWNfYXBpIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbImV4dGVybmFsIl19.zkoFJyfbCsVEj6HKumrVoRCkhCQ6bZCi08EwpKtpaDCg_4KX7KJZnEgc7guSdmw4pLjiD2n_z7OcI6-EvHxX5hsum0pvmcUGEJMI1nHGT8XFggeAgptQaGr2wfF7NXc6ozT pY5YEBSMhwvTGmIDr_PGcdpc7Yp7ITtkJVEAUtUMlHgkRdVlhVV4K1_lK8DSD1E3pT-_jjdkG99BGMGFMFOj7we3Ry-iacg3cZqgpzyY0aY7eLIIlPhNSOLVkVDN7kFSd1ILPY0IA-B5c2GvSYoSYQy1 AjI0ePaylxpjALjZOiF7M-hL1rCuY-UloNuFstr3AkRsyNZQOpKOVYMoA8w",
- "expires_in":3600,
- "token_type":"Bearer",
- "refresh_token":"C2495E877E3074027C0D232761D01B084FB264B3211588FA8932C8C01129B639",
- "scope":"https://www.approvalmax.com/scopes/public_api offline_access"}
Token expiry
When you receive a token, it is essential to be aware of its expiry time. Tokens have a limited validity period after which they will no longer be valid for authentication. It is crucial to keep track of these expiry times to avoid any disruptions in API access. Both the access tokens and refresh tokens can be exchanged for new tokens before their respective expiry times.
The
access token is a JSON Web Token (JWT) that can be decoded to obtain a JSON object containing valuable information about the user and the authentication process. To decode your token, please, visit
JWT.IO.
- {
- "nbf": 1680885008,
- "exp": 1680888608,
- "iss": "https://identity.approvalmax.com",
- "client_id": "8A59498C02D54104B7295D1CA08EA586",
- "sub": "92581804-f202-4a87-90b1-a4c9677b9146",
- "auth_time": 1680869179,
- "idp": "AMRemote",
- "https://www.approvalmax.com/connection": "e018ad8d-7875-4f55-a17e-db5dec8dce25",
- "jti": "DD4A003D5F1B93E10B17E5D9EFCD9F3B",
- "sid": "A1C021867AA6360DC73B7A39878C444D",
- "iat": 1680880234,
- "scope": [
- "https://www.approvalmax.com/scopes/public_api",
- "openid",
- "offline_access"
- ],
- "amr": [
- "external"
- ]
- }