Request Access Token

Authorizations

Authorization

string

header

required

HTTP Basic authentication using client_id:client_secret

Body

application/x-www-form-urlencoded

grant_type

enum<string>

The OAuth 2.0 grant type to use. Defaults to client_credentials

Available options:

client_credentials,

authorization_code,

refresh_token

userId

string

The Tight user ID to generate a scoped token for. Omit to generate a partner-level token with access to all companies.

code

string

The authorization code received from the authorization endpoint. Required for authorization_code grant type.

redirect_uri

string

The redirect URI used in the authorization request. Required for authorization_code grant type.

code_verifier

string

The PKCE code verifier. Required when code_challenge_method=S256 was used in the authorization request.

refresh_token

string

The refresh token to exchange for a new access token. Required for refresh_token grant type.

scope

enum<string>

Limits the token's permissions. Use read to create a read-only token, or write to allow write access. Defaults to write if omitted.

Available options:

read,

write

Response

200 - application/json

Access token issued successfully

access_token

string

The bearer token to include in API requests.

Example:

"eyJhbGciOiJSUzI1NiJ9..."

token_type

enum<string>

Available options:

Bearer

Example:

"Bearer"

expires_in

integer

Token lifetime in seconds.

Example:

3600

refresh_token

string

Refresh token, returned for authorization_code grant types.

Example:

"tGzv3JOkF0XG5Qx2TlKWIA"

scope

string

Space-separated list of granted scopes, if applicable.