The token endpoint can be used to programmatically request tokens. It supports the authorization_code, client_credentials, refresh_token and token_exchange grant types).
client_id client identifier (required)
client_secret client secret either in the post body, or as a basic authentication header. Optional.
grant_type
authorization_code, client_credentials, refresh_token or urn:ietf:params:oauth:grant-type:token-exchange
scope one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.
redirect_uri required for the authorization_code grant type
code the authorization code (required for authorization_code grant type)
code_verifier PKCE proof key
refresh_tokenthe refresh token (required for refresh_token grant type)
subject_token_type used for the token_exchange grant type.
Must be set to urn:ietf:params:oauth:token-type:access_token
subject_token used for the token_exchange grant type. A base64-encoded access token to be exchanged
Return values
In the case of a successful request HelseID will return the following parameters:
identity_token the Identity Token, as a Base64 encoded JWT, that corresponds to the current user session. This is only returned when using the authorization_code flow.
access_token the Access Token as a Base64 encoded JWT.
token_type the type of token returned. For HelseID this will always be bearer, indicating that the token should be used as a bearer token.
expires_in the number of seconds until the access token expires.
refresh_token the Refresh Token. This is only returned when the user requests a Refresh Token using the offline_access scope or when using the refresh_token flow.
rt_expires_in the number of seconds until the refresh token expires. This value is not part of the standard Token Endpoint flow, but has been added as a convenience for consumers of HelseID.