Get Token - Auth0 Docs

POST /oauth/token This is the flow that mobile apps use to access an API. Use this endpoint to exchange an Authorization Code for a token.

In order to improve compatibility for applications, Auth0 will now return profile information in a structured claim format as defined by the OIDC specification. This means that in order to add custom claims to ID tokens or access tokens, they must conform to a namespaced format to avoid possible collisions with standard OIDC claims.
Include offline_access to the scope request parameter to get a refresh token from POST /oauth/token. Make sure that the Allow Offline Access field is enabled in the API Settings.
The redirect_uri value must be specified as a valid callback URL under your Application’s Settings.
Silent authentication lets you perform an authentication flow where Auth0 will only reply with redirects, and never with a login page. When an Access Token has expired, silent authentication can be used to retrieve a new one without user interaction, assuming the user’s Single Sign-on (SSO) session has not expired.

Parameters

DPoP

string

A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.

grant_type

string

required

Denotes the flow you are using. For Authorization Code (PKCE) use authorization_code.Allowed values: authorization_code

client_id

string

required

Your application’s Client ID.

code

string

required

The Authorization Code received from the initial /authorize call.

code_verifier

string

required

Cryptographically random key that was used to generate the code_challenge passed to /authorize.

redirect_uri

string

This is required only if it was set at the GET /authorize endpoint.

Status	Description
200	Successful token exchange.
default	Unexpected error