Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-feat-authentication-api-migration.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

POST /oauth/token
This flow should only be used from highly-trusted applications that cannot do redirects. If you can use redirect-based flows from your app, we recommend using the Authorization Code Flow instead.
This is the OAuth 2.0 grant that highly-trusted apps use to access an API. In this flow, the end-user is asked to fill in credentials (username/password), typically using an interactive form in the user-agent (browser). This information is sent to the backend and from there to Auth0. It is therefore imperative that the application is absolutely trusted with this information.

Request Headers

ParameterDescription
auth0-forwarded-forEnd-user IP as a string value. Set this if you want brute-force protection to work in server-side scenarios.

Responses

200

A successful request returns the access token. 
HTTP/1.1 200 OK
Content-Type: application/json
{
  "access_token":"eyJz93a...k4laUWw",
  "token_type":"Bearer",
  "expires_in":86400
}

Remarks

  • The scopes issued to the application may differ from the scopes requested. In this case, a scope parameter will be included in the response JSON.
  • If you don’t request specific scopes, all scopes defined for the audience will be returned due to the implied trust to the application in this grant.
  • To add realm support, set the grant_type to http://auth0.com/oauth/grant-type/password-realm, and the realm to the realm the user belongs. This maps to a connection in Auth0.
  • In addition to username and password, Auth0 may require the end-user to provide an additional factor as proof of identity. The request may return an mfa_required error along with an mfa_token for multi-factor authentication.

Learn More

Parameters

DPoP
string
A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.

Request Body

grant_type
string
required
Denotes the flow you are using. For Resource Owner Password use password.
username
string
required
Resource Owner’s identifier, such as a username or email address.
password
string
required
Resource Owner’s secret.
audience
string
The unique identifier of the target API you want to access.
resource
string
The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to audience when the tenant’s Resource Parameter Compatibility Profile is set to compatibility.
scope
string
String value of the different scopes the application is asking for.
client_id
string
required
Your application’s Client ID.
client_secret
string
Your application’s Client Secret.
realm
string
String value of the realm the user belongs.

Response

StatusDescription
200Returns the access token.