POST /v1/oauth/token
Service: identity · operationId: (none)
OAuth 2.1 token endpoint — exchange code or refresh token
Required scopes
(no scope declared — review service config)
Responses
200 Tokens issued
{
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "Opaque access token (lph_at_*)"
},
"token_type": {
"type": "string",
"enum": [
"Bearer"
]
},
"expires_in": {
"type": "integer",
"description": "Token lifetime in seconds"
},
"refresh_token": {
"type": "string",
"description": "Opaque refresh token (lph_rt_*)"
},
"scope": {
"type": "string",
"description": "Space-separated granted scopes"
},
"id_token": {
"type": "string",
"description": "OIDC id_token JWT (when openid scope)"
}
},
"required": [
"access_token",
"token_type",
"expires_in",
"refresh_token",
"scope"
]
}400 Invalid request
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth 2 error code (RFC 6749 §5.2)"
},
"error_description": {
"type": "string",
"description": "Human-readable error message"
},
"error_uri": {
"type": "string",
"description": "URI for more info"
}
},
"required": [
"error",
"error_description"
]
}401 Invalid client or credentials
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth 2 error code (RFC 6749 §5.2)"
},
"error_description": {
"type": "string",
"description": "Human-readable error message"
},
"error_uri": {
"type": "string",
"description": "URI for more info"
}
},
"required": [
"error",
"error_description"
]
}403 Scope or permission denied
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth 2 error code (RFC 6749 §5.2)"
},
"error_description": {
"type": "string",
"description": "Human-readable error message"
},
"error_uri": {
"type": "string",
"description": "URI for more info"
}
},
"required": [
"error",
"error_description"
]
}Example
curl -X POST https://identity.platform.loop.health/v1/oauth/token \
-H "Authorization: Bearer $ACCESS_TOKEN"Related
services/identity— service overview- All endpoints — directory across services
- Auth model — how scopes are enforced