View a markdown version of this page

CreateOAuth2Token - AWS Sign-In

CreateOAuth2Token

Exchanges an authorization code or refresh token for an OAuth 2.0 access token and refresh token.

This operation accepts application/x-www-form-urlencoded requests (RFC 6749 §4.1.3).

Important

AWS AWS CLI and AWS SDK clients use application/json as the content type and receive a camelCase response. The accessToken field is an object containing accessKeyId, secretAccessKey, and sessionToken rather than an opaque Bearer JWT string.

Request Syntax

POST /v1/token HTTP/1.1 Content-type: application/json { "client_id": "string", "code": "string", "code_verifier": "string", "grant_type": "string", "redirect_uri": "string", "refresh_token": "string", "resource": "string" }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

client_id

The OAuth 2.0 client identifier. Expected values: arn:aws:signin:::devtools/same-device, arn:aws:signin:::devtools/cross-device, or arn:aws:signin:{region}::external-client/dcr/{uuid} for dynamically registered clients.

Type: String

Pattern: arn:aws:signin:::devtools/(same-device|cross-device)$|^arn:aws:signin:[^:]*::external-client/dcr/.*

Required: Yes

code

The authorization code received from the /v1/authorize endpoint. Required when grant_type=authorization_code.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 512.

Required: No

code_verifier

The PKCE code verifier that proves possession of the original code challenge. Required when grant_type=authorization_code.

Type: String

Length Constraints: Minimum length of 43. Maximum length of 128.

Pattern: [A-Za-z0-9\-._~]+

Required: No

grant_type

The OAuth 2.0 grant type. Supported values:

  • authorization_code — Exchange an authorization code for tokens.

  • refresh_token — Use a refresh token to obtain a new access token.

Type: String

Pattern: (authorization_code|refresh_token)

Required: Yes

redirect_uri

The redirect URI that was used in the original authorization request. Must match exactly. Required when grant_type=authorization_code.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

refresh_token

The refresh token issued by a previous token response. Required when grant_type=refresh_token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

resource

The OAuth resource for which the access token is requested (RFC 8707). Identifies the target service the token grants access to.

Required for dynamically registered (DCR) clients.

Example: https://aws-mcp.us-east-1.api.aws/mcp.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "access_token": "string", "expires_in": number, "id_token": "string", "refresh_token": "string", "token_type": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

access_token

The access token issued by the authorization server. This is an opaque Bearer JWT string (prefix ASOA). Use as a Bearer token in the Authorization header when calling the target resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

expires_in

The number of seconds until the access token expires. Maximum value is 900 seconds (15 minutes).

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 900.

id_token

A JSON Web Token (JWT) containing user identity claims. Present only when grant_type=authorization_code. Not included in refresh token responses.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

refresh_token

An encrypted refresh token that can be used to obtain new access tokens without re-authenticating. Valid for up to 12 hours.

Each time a refresh token is used, a new refresh token is returned (token rotation). Always use the most recently issued refresh token for subsequent requests.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

token_type

The type of token issued. Value is Bearer per RFC 6749 §5.1.

Type: String

Errors

For information about the errors that are common to all actions, see Common Error Types.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

InternalServerException

The request processing has failed because of an unknown error, exception or failure with an internal server.

HTTP Status Code: 500

TooManyRequestsError

Indicates that the principal has exceeded the limit of requests to this API operation.

HTTP Status Code: 429

ValidationException

The request failed because it contains a syntax error.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: