The token endpoint can be used to programmatically request tokens. It supports the authorization_code, client_credentials, refresh_token and token_exchange grant types).
client_id client identifier (required)
client_secret client secret either in the post body, or as a basic authentication header. Optional.
grant_type
authorization_code, client_credentials, refresh_token or urn:ietf:params:oauth:grant-type:token-exchange
scope one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.
resource an API resource. Will return an access token with the audience claim set to this API. For retrieving multiple access tokens in a authorization code flow, the first request is made with the code, while subsequent requests must be made with the refresh token.
redirect_uri required for the authorization_code grant type
code the authorization code (required for authorization_code grant type)
code_verifier PKCE proof key
refresh_tokenthe refresh token (required for refresh_token grant type)
subject_token_type used for the token_exchange grant type.
Must be set to urn:ietf:params:oauth:token-type:access_token
subject_token used for the token_exchange grant type. A base64-encoded access token to be exchanged
Return values
In the case of a successful request HelseID will return the following parameters:
identity_token the Identity Token, as a Base64 encoded JWT, that corresponds to the current user session. This is only returned when using the authorization_code flow.
access_token the Access Token as a Base64 encoded JWT.
token_type the type of token returned. For HelseID this will always be bearer, indicating that the token should be used as a bearer token.
expires_in the number of seconds until the access token expires.
refresh_token the Refresh Token. This is only returned when the user requests a Refresh Token using the offline_access scope or when using the refresh_token flow.
rt_expires_in the number of seconds until the refresh token expires. This value is not part of the standard Token Endpoint flow, but has been added as a convenience for consumers of HelseID.