All Products
Search

This Product

    Identity as a Service:GenerateToken

    Document Center

    Identity as a Service:GenerateToken

    Last Updated:Oct 10, 2025

    Generates an access token for an application in a specified IDaaS instance based on credential information.

    Operation description

    The following methods are supported: Authorization Code, Device Flow, Refresh Token, Client Credentials, and Password.

    1. Authorization Code

    Scenario: This is the standard OAuth 2.0 authorization code flow, which is suitable for web applications with frontend interaction. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code={authorization_code}
&redirect_uri={redirect_uri}
&client_id={client_id}
&client_secret={client_secret}

    Parameters:

    ● code: The authorization code obtained from the authorization endpoint.

    ● redirect_uri: Must be the same as the redirect_uri that was used to obtain the authorization code.

    1.1 Authorization Code for public clients

    Scenario: This scenario is suitable for applications that cannot securely store a secret, such as single-page applications (SPAs) or native applications. In this flow, a client_secret is not required, but you must use the Proof Key for Code Exchange (PKCE) mechanism. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code={authorization_code}
&redirect_uri={redirect_uri}
&client_id={client_id}
&code_verifier={code_verifier}

    Parameters:

    ● code_verifier: The code verifier for the PKCE mechanism. The client generates it when initiating an authorization request and uses it to derive the `code_challenge`. When exchanging for a token, you must submit this value. It must be identical to the value used to generate the `code_challenge`.

    Java example for generating a code_verifier and code_challenge:

    String codeVerifier = Base64.getUrlEncoder().withoutPadding().encodeToString(new SecureRandom().generateSeed(43));
String codeChallenge = Base64.getUrlEncoder().withoutPadding().encodeToString(java.security.MessageDigest.getInstance("SHA-256").digest(codeVerifier.getBytes()));

    2. Device Flow

    Scenario: This scenario is suitable for input-constrained devices, such as TVs and IoT devices. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:device_code
&device_code={device_code}
&client_id={client_id}
&client_secret={client_secret}

    To obtain the device code, first call /oauth2/device/code to retrieve the device_code and user_code.

    2.1 Device Flow for public clients

    Scenario: This scenario is used when interactive logon is not convenient and the client is a public client. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:device_code
&device_code={device_code}
&client_id={client_id}

    3. Refresh Token

    Scenario: This scenario uses a refresh_token to obtain a new access_token. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token={refresh_token}
&client_id={client_id}
&client_secret={client_secret}

    4. Client Credentials

    Scenario: This scenario is for server-to-server authentication without user involvement. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id={client_id}
&client_secret={client_secret}
&scope={scope}

    5. Password

    Scenario: This scenario uses traditional username and password authentication. Use this method with caution. Example call:

    POST /v2/{instanceId}/{applicationId}/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
&username={username}
&password={password}
&client_id={client_id}
&scope={scope}

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    No authorization for this operation. If you encounter issues with this operation, contact technical support.

    Request syntax

    POST /v2/{instanceId}/{applicationId}/oauth2/token HTTP/1.1

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    instanceId

    string

    Yes

    The instance ID.

    idaas_ue2jvisn35ea5lmthk267xxxxx
    applicationId

    string

    Yes

    The application ID.

    app_mkv7rgt4d7i4u7zqtzev2mxxxx
    client_id

    string

    No

    The client ID.

    app_mkv7rgt4d7i4u7zqtzev2mxxxx
    client_secret

    string

    No

    The client secret. This parameter is required when `grant_type` is `client_credentials` and the `client_secret_post` method is used.

    CSEHDcHcrUKHw1CuxkJEHPveWRXBGqVqRsxxxx
    grant_type

    string

    Yes

    The authorization grant type. The following types are supported:

    • `client_credentials`: Client credentials grant. Requires `client_id` and `client_secret`.

    • `refresh_token`: Refresh token grant.

    • `authorization_code`: Authorization code grant.

    • `urn:ietf:params:oauth:grant-type:device_code`: Device flow.

    • `password`: Password grant.

    client_credentials
    code

    string

    No

    The authorization code. This parameter is required when `grant_type` is `authorization_code`.

    xxxx
    username

    string

    No

    The username. This parameter is required for the password grant type.

    uesrname_001
    password

    string

    No

    The username. This parameter is required for password mode.

    xxxxxx
    device_code

    string

    No

    The device code. This parameter is required when `grant_type` is `urn:ietf:params:oauth:grant-type:device_code` (device flow).

    xxxx
    redirect_uri

    string

    No

    The redirection URI. This parameter is required for the authorization code grant type. It must match the redirection URI in the request to get the authorization code.

    xxx
    refresh_token

    string

    No

    The refresh token. This parameter is required when `grant_type` is `refresh_token` (refresh token grant).

    ATxxx
    code_verifier

    string

    No

    The code verifier. This is used in the authorization code grant type when PKCE is enabled.

    xxx
    exclusive_tag

    string

    No

    The excluded tag.

    ATxxx
    scope

    string

    No

    The scope. This parameter is optional. Multiple values are supported. Separate multiple values with spaces. Valid values:

    • openid

    • email

    • phone

    • profile

    xxxx

    Response elements

    Element

    Type

    Description

    Example

    object

    The response.

    token_type

    string

    The token type. Valid values: Basic - Basic type Bearer - Bearer type

    Valid values:

    • Basic :

      Basic

    • Bearer :

      Bearer

    Bearer
    access_token

    string

    The access token.

    ATxxx
    refresh_token

    string

    The refresh token.

    RTxxx
    expires_in

    integer

    The validity period of the token in seconds.

    1200
    expires_at

    integer

    The expiration time. The value is a UNIX timestamp in seconds.

    1653288641
    id_token

    string

    The ID token.

    xxxxx

    Examples

    Success response

    JSON format

    {
  "token_type": "Bearer",
  "access_token": "ATxxx",
  "refresh_token": "RTxxx",
  "expires_in": 1200,
  "expires_at": 1653288641,
  "id_token": "xxxxx"
}

    Error codes

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.