Create access token

Mints a bearer token for server-to-Extole calls by a client. The body is optional: when omitted, the new token mirrors the calling identity's scopes; when supplied, the body can narrow the scope set (subset of the caller's scopes), bind the token to a specific client_id, supply email/password credentials in lieu of a calling token, or override the default lifetime via duration_seconds. Returns the new token, its expires_in (seconds), the resolved client_id, the identity_id of the user the token represents, and the granted scopes.

Recent Requests
Log in to see full request history
TimeStatusUser Agent
Retrieving recent requests…
LoadingLoading…
Body Params

Optional body for POST /v4/tokens. Omit the body entirely to mirror the calling identity's scopes; supply a body to bind the new token to a specific client_id, narrow its scopes, override the default lifetime via duration_seconds, or authenticate with email/password credentials in lieu of a calling token.

string
required

Stable Extole identifier for the client (tenant) the new token should authenticate against. Required when authenticating with email/password credentials; optional when the calling identity already implies the client.

int64 | null
required

Override the default token lifetime, in seconds. Must keep the token's expiry within the next ten millennia; out-of-range values return 400 invalid_duration with the default lifetime in default_duration.

string | null
required

Email address of the dashboard user to authenticate. Pair with password. Returns 403 invalid_credentials if the pair is wrong.

string | null
required

Password for the dashboard user identified by email. Returns 403 invalid_credentials if wrong, 403 expired_credentials if expired, 403 account_locked if the account is locked, and 403 account_disabled if disabled.

scopes
array of strings | null
required

Subset of the calling identity's scopes to grant on the new token. Must be a strict subset; requesting a privilege the caller does not hold returns 403 scopes_denied with the offending scopes in denied_scopes. Omit to mirror the caller's scopes.

Responses

Language
Credentials
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/json