Skip to main content
POST
OAuth 2.1 PKCE token exchange

Body

application/json
data
object
required

Token request body. Two grants share this endpoint: the loopback authorization-code grant (CLI exchanges a one-shot code + PKCE verifier) and the RFC 8628 device grant (CLI polls with the device_code from /oauth/device/code). Unauthenticated — security comes from the code/device_code being single-use, short-lived, and (for authorization_code) bound to the SHA-256 of code_verifier. Per-grant required fields are enforced server-side.

Response

The request has succeeded.

data
object
required

Token response. The CLI persists access_token + refresh_token; the server only stores their hashes.