redirect_uri
with a code
parameter in the query string. This code is a one-time code that you can exchange for an access token.
POST
request to the token endpoint. This call needs to be authenticated with the Client ID and Client Secret you got when creating the OAuth2 client.
Here is an example with cURL:
access_token
will allow you to make authenticated API requests on behalf of the user. The refresh_token
is a long-lived token that you can use to get new access tokens when the current one expires. The id_token
is a signed JWT token containing information about the user, as per the OpenID Connect specification.
sub_type=organization
to the authorization URL:
/v1/users/benefit
will not work with
organization access tokens.
client_secret
parameter. However, the PKCE method will be required to maximize security.