Exchange OAuth code for tokens (PKCE)

curl --request POST \ --url https://api.example.com/api/auth/oauth/exchange \ --header 'Content-Type: application/json' \ --data ' { "code": "abc123...", "code_verifier": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk" } '

{ "user": { "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "email": "jsmith@example.com", "profile": { "name": "<string>", "avatar_url": "<string>" }, "metadata": {}, "emailVerified": true, "providers": [ "<string>" ], "createdAt": "2023-11-07T05:31:56Z", "updatedAt": "2023-11-07T05:31:56Z" }, "accessToken": "<string>", "refreshToken": "<string>" }

Query Parameters

client_type

enum<string>

default:web

Client type determines how refresh tokens are returned:

web: Refresh token stored in httpOnly cookie, csrfToken returned in response
mobile/desktop/server: refreshToken returned directly in response body

Available options:

web,

mobile,

desktop,

server

Body

application/json

code

string

required

The insforge_code received from OAuth callback redirect

Example:

"abc123..."

code_verifier

string

required

The original code_verifier used to generate code_challenge. Must be 43-128 characters, using [A-Za-z0-9-._~]

Example:

"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"

Response

Tokens exchanged successfully

user

object

Show child attributes

accessToken

string

JWT access token for API authentication

refreshToken

string

Refresh token for obtaining new access tokens