API Reference

Exchanges an OAuth Code for an Access Token

post
https://api.vcita.biz/oauth/token

Overview

Exchanges an OAuth Authorization Code for an Access Token. This endpoint is the final step in the OAuth 2.0 Authorization Code flow.

This endpoint does not require authentication headers - authentication is performed via the client_id and client_secret in the request body.

Prerequisites

Before using this endpoint, you must:

1. Create an OAuth Application

Create an app using POST /platform/v1/apps with a Directory token. This returns:

  • client_id: Your OAuth Client ID
  • client_secret: Your OAuth Client Secret (shown only once - store securely!)

Example app creation request:

{
  "name": "My OAuth App",
  "app_code_name": "myoauthapp",
  "redirect_uri": "https://myapp.example.com/oauth/callback",
  "scopes": ["openid"]
}

2. Obtain an Authorization Code

Redirect users to the authorization endpoint to obtain consent:

GET /oauth/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope={scopes}&state={state}

After user authorization, they are redirected to your redirect_uri with:

  • code: The authorization code (use this in the token request)
  • state: The state parameter you provided (verify this matches)

3. Exchange Code for Token

Call this endpoint (POST /oauth/token) with the authorization code to receive an access token.

Complete OAuth Flow Diagram

1. App Creation (one-time setup):
   POST /platform/v1/apps → Returns client_id, client_secret

2. User Authorization (browser redirect):
   User → /oauth/authorize → User grants permission → Redirect to app with code

3. Token Exchange (server-to-server):
   POST /oauth/token (with code) → Returns access_token

4. API Access:
   Use access_token in Authorization header for subsequent API calls

Important Notes

  • Authorization codes are single-use - once exchanged, they cannot be reused
  • Authorization codes expire quickly - exchange them immediately after receiving
  • This endpoint cannot be tested in isolation - it requires an authorization code from the user authorization flow
  • Store client_secret securely - it is only displayed once during app creation

Available for Staff, Directory, and Client tokens

Recent Requests
Log in to see full request history
TimeStatusUser Agent
Retrieving recent requests…
LoadingLoading…
Body Params
string
enum
required

The OAuth 2.0 grant type. Must be authorization_code for the Authorization Code flow.

Allowed:
string
required

The OAuth Client ID obtained when creating an app via POST /platform/v1/apps. This value is returned in the data.client_id field of the app creation response.

string
required

The OAuth Client Secret obtained when creating an app via POST /platform/v1/apps. This value is returned in the data.client_secret field of the app creation response. Important: This secret is only shown once during app creation - store it securely.

string
required

The authorization code obtained from the OAuth authorization flow. This code is provided as a query parameter when the user is redirected back to your redirect_uri after authorizing your app. Authorization codes are single-use and expire shortly after being issued.

uri
required

The exact redirect URI that was used when initiating the authorization request. This must match one of the URIs configured for your app (either redirect_uri or one of the oauth_redirect_uris set during app creation).

string

Optional - PKCE only. The code verifier used when the authorization request was initiated with PKCE (Proof Key for Code Exchange). If your app used a code_challenge during authorization, you must provide the original code_verifier here. Note: PKCE support may vary - check server capabilities.

Responses

Updated about 2 months ago

Language
Credentials
Bearer
JWT
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/json

Updated about 2 months ago