Skip to main content
POST
/
v6
/
auth
/
token
curl --request POST \
  --url https://sandbox.tight.com/v6/auth/token \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data userId=your_userId
{
  "access_token": "eyJhbGciOiJSUzI1NiJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  "scope": "<string>"
}

Authorizations

Authorization
string
header
required

HTTP Basic authentication using client_id:client_secret

Body

application/x-www-form-urlencoded
grant_type
enum<string>

The OAuth 2.0 grant type to use. Defaults to client_credentials

Available options:
client_credentials,
authorization_code,
refresh_token
userId
string

The Tight user ID to generate a scoped token for. Omit to generate a partner-level token with access to all companies.

code
string

The authorization code received from the authorization endpoint. Required for authorization_code grant type.

redirect_uri
string

The redirect URI used in the authorization request. Required for authorization_code grant type.

code_verifier
string

The PKCE code verifier. Required when code_challenge_method=S256 was used in the authorization request.

refresh_token
string

The refresh token to exchange for a new access token. Required for refresh_token grant type.

Response

200 - application/json

Access token issued successfully

access_token
string

The bearer token to include in API requests.

Example:

"eyJhbGciOiJSUzI1NiJ9..."

token_type
enum<string>
Available options:
Bearer
Example:

"Bearer"

expires_in
integer

Token lifetime in seconds.

Example:

3600

refresh_token
string

Refresh token, returned for authorization_code grant types.

Example:

"tGzv3JOkF0XG5Qx2TlKWIA"

scope
string

Space-separated list of granted scopes, if applicable.