Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-feat-authentication-api-migration.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

POST /oauth/token To check on the status of a Back-Channel Login flow, poll the /oauth/token endpoint at regular intervals by passing the following:
  • auth_req_id returned from the call to /bc-authorize
  • urn:openid:params:grant-type:ciba grant type

Response Body

If the authorizing user has not yet approved or rejected the request, you should receive a response like the following: 
{ 
  "error": "authorization_pending", 
  "error_description": "The end-user authorization is pending"
}
If the authorizing user rejects the request, you should receive a response like the following: 
{
  "error": "access_denied",
  "error_description": "The end-user denied the authorization request or it has been expired"
}
If you are polling too quickly (faster than the interval value returned from /bc-authorize), you should receive a response like the following: 
{
  "error": "slow_down",
  "error_description": "You are polling faster than allowed. Try again in 10 seconds."
}
In addition, Auth0 will add the Retry-After header to the response indicating how many seconds to wait before attempting to poll again. If you consistently poll too frequently, the number of seconds you must wait increases. If the authorizing user has approved the push notification, the call returns the ID token and access token (and potentially a refresh token): 
{
  "access_token": "eyJh...",
  "id_token": "eyJh...",
  "expires_in": 86400,
  "scope": "openid"
}
Once you have exchanged an auth_req_id for an ID or access token, it is no longer usable.

Remarks

Include an optional parameter for application authentication in the request:
  • Client Secret with HTTP Basic auth, in which case no parameters are required. The client_id and client_secret are passed in a header.
  • Client Secret Post, in which case the client_id and client_secret are required.
  • Private Key JWT, where the client_id, client_assertion, and client_assertion type are required.
  • mTLS, where the client_id parameter is required and the client-certificate and client-certificate-ca-verified headers are required.

Parameters

client_id
string
required
The client_id of your application.
auth_req_id
string
required
The auth_req_id returned from the /bc-authorize endpoint.
grant_type
string
required
Must be set to urn:openid:params:grant-type:ciba.

Response

StatusDescription
200Authentication status returned.
400Bad Request - Invalid parameters
500Internal Server Error