Token Exchange
In this step as per Oauth protocol, the code received by you in the authorization request will be exchanged to get the access_token
which is used for accessing xoxoday resources granted based on the scopes allowed by the user.
User sessions should be created within a company session. Hence after authorization creates the company session followed by the user session.
As this request involves sensitive information i.e, client_secret, your server must make the following POST request to get the access_token
The following POST request should be used to create the sessions. The same POST method is used to create the two sessions with different values for the parameter token_type
getAccessToken
POST
The token_type
token_type should take the company as value. If the Authorization request was for the company session creation then token_type value is the company
Path Parameters
Name | Type | Description |
---|---|---|
grant_type | string | Although OAuth supports different grsnt_type values. The value supported by Xoxoday are |
code | string | This is a temporary code value that the client has obtained after the authorization code |
redirect_uri | string | The URL must match the URL you have shared in the registration. |
client_id | string | This is the client_id value that you received after the client registration |
client_secret | string | This is the client_secret value that you received after the client registration |
In the above response
access_token
is the bearer token that can be used by the client to access the API of xoxoday.
token_type
is a bearer that must be passed in the Authorization header. expires_in is the duration (in seconds) for which access_token is valid.
Company access_token and refresh token:
The default company session lasts for 30 days.
refresh_token
is the value with which the client can regenerate expiredaccess_token
. Thisrefresh_token
for the company, the session lasts for 60 days.
Last updated