Token Exchange

The token exchange involves the creation of tokens for company sessions and user sessions.

In this step as per Oauth protocol, the code received by you in the authorization request will be exchanged to get the access_token which is used for accessing xoxoday resources granted based on the scopes allowed by the user.

User sessions should be created within a company session. Hence after authorization creates the company session followed by the user session.

As this request involves sensitive information i.e, client_secret, your server must make the following POST request to get the access_token The following POST request should be used to create the sessions. The same POST method is used to create the two sessions with different values for the parameter token_type

curl -X POST {OAUTH_URL}/v1/oauth/token/{token_type}      
-d '{                         



The token_type can be of two values user session or company session. If the authorization request was for the company session creation then the token_type value is for the company or if the authorization request was for the user session creation then the toke_type value is for the user.

Path Parameters




Although OAuth supports different grant_type values, The value supported by Xoxoday are authorization_code and refresh_token



This is an authorization code value that you obtained in response to the previous step.



The URL must match the URL you have shared in the registration.



This is the client_id value that you received after the client registration



This is the client_secret value that you received after the client registration

"token_type": "bearer", 
"expires_in": 2592000, 
"refresh_token": "064be187f42e9238122ef9d7a985c8800dff3752", 
//email will only be in the response of company session generation 

In the above response

access_token is the bearer token that can be used by the client to access the API of xoxoday.

token_type is a bearer that must be passed in the Authorization header. expires_in is the duration (in seconds) for which access_token is valid.

User access_tocken and refresh_token:

  • The user access_token is generated based on the company access token.

  • The default user session lasts for 15 days. refresh_token is the value with which the client can regenerate the expired access_token.For the user session, therefresh_token lasts for 30 days.

Company access_token and refresh token:

  • The default company session lasts for 30 days. refresh_token is the value with which the client can regenerate expired access_token. This refresh_token for the company, the session lasts for 60 days.

Last updated