Typical Auth server token exchange URL

https://auth.touchcommerce.com/oauth-server/oauth/token

Token exchange request example

URL

POST https://auth.touchcommerce.com/oauth-server/oauth/token

Headers

Authorization: Basic BASE64_ENCODED_SECRET

Content-Type: application/x-www-form-urlencoded; charset=utf-8

Body

grant_type: urn:ietf:params:oauth:grant-type:token-exchange

subject_token: CUSTOMER_JWT_TOKEN

Where:

BASE64_ENCODED_SECRET is the base-64-encoded client_id:secret (separated by ':').
CUSTOMER_JWT_TOKEN is the JWT token you generate.

The JWT token identifies you. The Auth service assesses this by verifying the JWT signature using the public key identified by the kid header property, which you provided previously, as described in Generate the token header.

Token exchange response example

    "access_token": "eyJhb...sW6c9w",

    "token_type": "bearer",

    "expires_in": 199,

    "scope":"read write",

    "sites":[

        "123"

],

    "jti":"94814893-a970-4f47-b797-61438abf3885"

Retrieve the access token

Obtain the access token from the access_token property.

Access token expiry

Do not leak access tokens, because they enable access to the API. To reduce the risk, the access token expires after the time indicated in the expires_in property. Once the token has expired, your application must obtain a new access token using the same procedure.

Typical Auth server token exchange URL

Token exchange request example

Token exchange response example

Retrieve the access token

Access token expiry

Related topics