POST
/
v1
/
oauth
/
token
curl --request POST \
  --url https://public.api.collectpure.com/v1/oauth/token \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: <api-key>' \
  --data '{
  "code": "<string>",
  "public_key": "<string>",
  "secret_key": "<string>",
  "redirect_url": "<string>"
}'
{
  "access_token": "<string>",
  "token_type": "bearer",
  "expires_in": 123,
  "id_token": "<string>",
  "refresh_token": "<string>"
}

Exchange an OAuth authorization code for an access token. This endpoint allows you to obtain an authentication token that can be used for subsequent API requests.

Request Body

code
string
required

The authorization code received from the OAuth provider

public_key
string
required

The public key for the OAuth application

secret_key
string
required

The secret key for the OAuth application

redirect_url
string
required

The redirect URL used in the initial authorization request

Response Example

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InB1cmUtand0LWtleSJ9...",
  "token_type": "bearer",
  "expires_in": 3600,
  "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InB1cmUtand0LWtleSJ9...",
  "refresh_token": "rt_abc123def456ghi789"
}

Using the Token

After obtaining the token, include it in subsequent API requests using the following headers:

"x-auth-token": "your-access-token"
"x-public-key": "your-public-key"
"x-secret-key": "your-secret-key"

The id_token is included in the response when the openid scope is granted, and the refresh_token is included when the offline_access scope is granted.

Error Responses

If the request is invalid or authentication fails, the API will return an error response:

{
  "error": "invalid_request",
  "error_description": "The authorization code is invalid or has expired"
}

Common error codes include:

  • invalid_request: The request is missing a required parameter or is otherwise malformed
  • invalid_client: Client authentication failed
  • invalid_grant: The authorization code is invalid or has expired
  • unauthorized_client: The client is not authorized to use this grant type
  • server_error: An unexpected error occurred on the server

Authorizations

x-api-key
string
header
required

API key for authentication

Body

application/json
code
string
required

The authorization code received from the OAuth provider

public_key
string
required

The public key (client ID) for the OAuth application

secret_key
string
required

The secret key (client secret) for the OAuth application

redirect_url
string
required

The redirect URL used in the initial authorization request

Response

200
application/json
Default Response
access_token
string
required

JWT access token signed with the project's JWKS

token_type
enum<string>
required

Type of token issued

Available options:
bearer
expires_in
integer
required

Token expiration time in seconds (defaults to 3600 seconds/1 hour)

id_token
string

JWT ID token returned when openid scope is granted

refresh_token
string

Refresh token returned when offline_access scope is granted