OAuth token endpoint

curl --request POST \
  --url https://api.hq.zone/v1/oauth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "grant_type": "<string>",
  "client_id": "<string>",
  "client_secret": "<string>",
  "code": "<string>",
  "code_verifier": "<string>",
  "redirect_uri": "<string>",
  "refresh_token": "<string>"
}
'

{
  "access_token": "<string>",
  "expires_in": 123,
  "refresh_token": "<string>",
  "scope": "<string>",
  "token_type": "<string>"
}

Authentication

OAuth token endpoint

Exchanges an authorization code or a refresh token for tokens, accepting either application/x-www-form-urlencoded or application/json. For grant_type=authorization_code it verifies PKCE (S256 code_verifier against the stored challenge) and that client_id and redirect_uri match the original authorization; for grant_type=refresh_token it rotates the presented refresh token, carrying the original scopes forward, and detects reuse of an already-rotated token by revoking the entire token family. Confidential clients must authenticate with client_secret; public clients rely on PKCE. Returns an opaque short-lived Bearer access_token (expires_in seconds), a new rotating refresh_token, the token_type, and the space-delimited granted scope.

POST

oauth

token

curl --request POST \
  --url https://api.hq.zone/v1/oauth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "grant_type": "<string>",
  "client_id": "<string>",
  "client_secret": "<string>",
  "code": "<string>",
  "code_verifier": "<string>",
  "redirect_uri": "<string>",
  "refresh_token": "<string>"
}
'

{
  "access_token": "<string>",
  "expires_in": 123,
  "refresh_token": "<string>",
  "scope": "<string>",
  "token_type": "<string>"
}

Form-encoded token exchange (OAuth 2.1)

Exchanges an authorization code for tokens, or rotates a refresh token. The request body is application/x-www-form-urlencoded (per RFC 6749), not JSON.

grant_type=authorization_code — send code, redirect_uri, client_id, and the PKCE code_verifier matching the code_challenge from the authorize step.
grant_type=refresh_token — send refresh_token. Refresh tokens rotate: each use returns a new one and invalidates the old (reuse is detected and revokes the chain).

Returns a short-lived opaque access token (use it as Authorization: Bearer ...), a rotating refresh token, token_type, and expires_in. Access tokens last ~1 hour; refresh tokens ~30 days.

Body

application/json

authorization_code or refresh_token grant. Accepts application/x-www-form-urlencoded (the OAuth default) OR application/json.

grant_type

string

required

client_id

string | null

client_secret

string | null

Confidential-client secret (client_secret_post). Public clients omit it and rely on PKCE.

code

string | null

code_verifier

string | null

redirect_uri

string | null

refresh_token

string | null

Response

Access token + rotating refresh token

access_token

string

required

expires_in

integer<int64>

required

refresh_token

string

required

scope

string

required

Space-delimited granted scopes (RFC 6749 §5.1).

token_type

string

required

OAuth authorization endpoint Introspect a token

⌘I

​Form-encoded token exchange (OAuth 2.1)

Body

Response

Form-encoded token exchange (OAuth 2.1)