Get or refresh a token
Exchange an authorization code for tokens, or refresh an expired access token. The grant_type field selects which.
- Exchange an authorization code (
grant_type: authorization_code). Run this once, right after a consent. Thecodeis single-use, expires in about 60 seconds, and needs thecode_verifiermatching the challenge you sent to Authorize. - Refresh an access token (
grant_type: refresh_token). Repeatable. Paste a stored refresh token to get a fresh access token. No new refresh token is returned.
client_secret from your handoff document. The access_token you
receive is the Bearer credential for the lookup endpoints.Body
OAuth token request. Which fields apply depends on grant_type.
Both grants: use authorization_code to exchange a code, or refresh_token to refresh.
authorization_code, refresh_token Both grants: your client ID for the environment.
Both grants: your client secret for the environment.
authorization_code grant: the single-use code from the /authorize redirect. Expires in about 60 seconds.
authorization_code grant: must match the callback registered with TaxRock.
authorization_code grant: the PKCE verifier matching the challenge sent to /authorize.
refresh_token grant: your stored refresh token.
refresh_token grant: the API audience (https://delegate.api.taxrock.com), so the new access token targets the Delegate API.
Response
Token issued.
Send as a Bearer credential to the Delegate API.
Access token lifetime in seconds (~3600).
Bearer authorization_code grant: the refresh grant returns no new refresh token, so keep using the one you have.

