/oauth2/access_token

The /oauth2/access_token endpoint is the OAuth 2.0 token endpoint (RFC 6749).

Use this endpoint to acquire an access or refresh token with the following flows:

Authorization code grant (OAuth 2.0 and OIDC)
Authorization code grant with PKCE (OAuth 2.0 and OIDC)
Authorization code grant with PAR (OAuth 2.0)
Client credentials grant (OAuth 2.0)
Resource owner password credentials grant (OAuth 2.0)
Device flow (OAuth 2.0)
SAML 2.0 profile for authorization grant (OAuth 2.0)
Token exchange (OAuth 2.0 | OpenID Connect)

Specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/access_token

The access_token endpoint supports the following parameters:

Parameter Description Required

Parameter	Description	Required
`actor_token`	The token representing a delegate acting on behalf of another identity.	Yes, for Token exchange
`actor_token_type`	The type of actor token.	Yes, for Token exchange
`auth_chain`	A string naming the journey to authenticate the resource owner.	No, only for Resource owner password credentials grant
`assertion`	A string holding a base64-encoded then URL-encoded SAML 2.0 assertion	Yes, when `grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer`
`client_assertion`	A signed JSON Web Token (JWT) to use as client credentials.	Yes, for JWT profile authentication
`client_assertion_type`	The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`.	Yes, for JWT profile authentication
`client_id`	Uniquely identifies the application making the request.	Yes
`client_secret`	The password for a confidential client; do not use with `cnf_key`.	Yes, when authenticating with Form parameters (HTTP POST)
`cnf_key`	A base64-encoded JSON Web Key (JWK); do not use with `client_secret`.	Yes, for JWK-based proof-of-possession
`code`	A string holding the authorization code for an authorization code grant.	Yes, when `grant_type=authorization_code`
`code_verifier`	A random string correlating a PKCE authorization request with the token request.	Yes, for flows with PKCE
`device_code`	A string holding the device code requested from the user for a device flow.	Yes, when `grant_type=urn:ietf:params:oauth:grant-type:device_code`
`grant_type`	A string specifying the type of grant to acquire an access token.	Yes
`password`	A string holding the resource owner password for the Resource owner password credentials grant.	Yes, when `grant_type=password`
`redirect_uri`	The URI to return the resource owner to after authorization is complete.	Yes, when `grant_type=authorization_code` and it was included earlier in the flow
`refresh_token`	The refresh to get a new access token.	Yes, for Refresh tokens
`requested_token_type`	The type of token requested in exchange.	No, but recommended for Token exchange
`scope`	The scopes linked to the permissions requested by the client from the resource owner.	No
`subject_token`	The original token to exchange.	Yes, for Token exchange
`subject_token_type`	The type of subject token.	Yes, for Token exchange
`username`	A string holding the resource owner username for the Resource owner password credentials grant.	Yes, when `grant_type=password`

actor_token

The token representing a delegate acting on behalf of another identity.

Yes, for Token exchange

actor_token_type

The type of actor token.

Yes, for Token exchange

auth_chain

A string naming the journey to authenticate the resource owner.

No, only for Resource owner password credentials grant

assertion

A string holding a base64-encoded then URL-encoded SAML 2.0 assertion

Yes, when grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer