Skip to content

OAuth Token

Exchanges authorization code or refresh token for OpenASA-issued tokens.

Method and path

  • Method: POST
  • Path: /oauth/token
  • Auth: no browser session required

Request body

JSON and form body are both supported.

  • Common fields:
  • grant_type: authorization_code or refresh_token
  • client_id
  • For grant_type=authorization_code:
  • code
  • redirect_uri
  • code_verifier
  • For grant_type=refresh_token:
  • refresh_token

Refresh token behavior

When grant_type=refresh_token, the endpoint will:

  • validate client_id
  • validate refresh token existence, expiration, and revoke status
  • revoke the old refresh token
  • issue a new access_token, refresh_token, and id_token

Success response

200 OK

{
  "token_type": "Bearer",
  "access_token": "<access_token>",
  "id_token": "<id_token>",
  "refresh_token": "<refresh_token>",
  "expires_in": 3600,
  "scope": "openid profile email"
}

Refresh token examples

JSON:

curl -X POST https://api.asahub.ai/api/oauth/token \
  -H 'Content-Type: application/json' \
  -d '{
    "grant_type":"refresh_token",
    "refresh_token":"OLD_REFRESH_TOKEN",
    "client_id":"app-a"
  }'

Form:

curl -X POST https://api.asahub.ai/api/oauth/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=refresh_token' \
  --data-urlencode 'refresh_token=OLD_REFRESH_TOKEN' \
  --data-urlencode 'client_id=app-a'

Errors

  • 400:
  • invalid grant_type
  • invalid/expired/consumed authorization code (authorization_code branch)
  • invalid redirect_uri (authorization_code branch)
  • invalid code_verifier (authorization_code branch)
  • missing/invalid/expired/revoked refresh token (refresh_token branch)