Skip to main content
POST
/
oauth
/
token
curl --request POST \
  --url https://login-demo.taxrock.com/oauth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "grant_type": "authorization_code",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "code": "CODE_FROM_AUTHORIZE_REDIRECT",
  "redirect_uri": "http://localhost:0000",
  "code_verifier": "PKCE_VERIFIER_FROM_AUTHORIZE_STEP"
}
'
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5c...",
  "refresh_token": "v1.MZ8aRq3K...",
  "scope": "offline_access read:client-accounts",
  "expires_in": 3600,
  "token_type": "Bearer"
}
Fill in the fields for the grant you want, then Run it. Each request field is labeled with the grant it applies to.
  • Exchange an authorization code (grant_type: authorization_code). Run this once, right after a consent. The code is single-use, expires in about 60 seconds, and needs the code_verifier matching the challenge you sent to Authorize.
  • Refresh an access token (grant_type: refresh_token). Repeatable. Paste a stored refresh token to get a fresh access token. No new refresh token is returned.
In the sandbox, use the client_secret from your handoff document. The access_token you receive is the Bearer credential for the lookup endpoints.

Body

application/json

OAuth token request. Which fields apply depends on grant_type.

grant_type
enum<string>
required

Both grants: use authorization_code to exchange a code, or refresh_token to refresh.

Available options:
authorization_code,
refresh_token
client_id
string
required

Both grants: your client ID for the environment.

client_secret
string
required

Both grants: your client secret for the environment.

code
string

authorization_code grant: the single-use code from the /authorize redirect. Expires in about 60 seconds.

redirect_uri
string

authorization_code grant: must match the callback registered with TaxRock.

code_verifier
string

authorization_code grant: the PKCE verifier matching the challenge sent to /authorize.

refresh_token
string

refresh_token grant: your stored refresh token.

audience
string

refresh_token grant: the API audience (https://delegate.api.taxrock.com), so the new access token targets the Delegate API.

Response

Token issued.

access_token
string
required

Send as a Bearer credential to the Delegate API.

scope
string
required
expires_in
integer
required

Access token lifetime in seconds (~3600).

token_type
enum<string>
required
Available options:
Bearer
refresh_token
string

authorization_code grant: the refresh grant returns no new refresh token, so keep using the one you have.