POST /v1/oauth/token
POST /v1/oauth/token
POST
/v1/oauth/token
OAuth 2.1 token endpoint. Dispatches on grant_type:
client_credentials: exchange an OAuth client’sclient_id+client_secret(i.e., an API key) for an access + refresh token pair.refresh_token: exchange a refresh token for a new access + refresh pair.
Response
- access_token: Short-lived JWT (15 minutes)
- refresh_token: Long-lived JWT (7 days)
- token_type: “Bearer”
- expires_in: Seconds until access token expires (900)
Request Body required
Section titled “Request Body required ”object
client_id
string | null
client_secret
string | null
grant_type
required
OAuth 2.1 grant types accepted by /v1/oauth/token. Surfaced as a string
enum in the OpenAPI doc so SDK consumers (and Zod-validating MCP clients)
see the closed set of valid values.
Wire format is snake_case to match RFC 6749 §1.3.
string
refresh_token
string | null
Responses
Section titled “ Responses ”Token pair generated successfully
object
access_token
required
string
expires_in
required
integer format: int64
refresh_token
required
string
scope
string | null
token_type
required
string
Invalid request
Invalid credentials