Token Exchange

The token exchange involves the creation of tokens for company sessions and user sessions.

In this step as per Oauth protocol, the code received by you in the authorization request will be exchanged to get the access_token which is used for accessing xoxoday resources granted based on the scopes allowed by the user.

User sessions should be created within a company session. Hence after authorization creates the company session followed by the user session.

As this request involves sensitive information i.e, client_secret, your server must make the following POST request to get the access_token The following POST request should be used to create the sessions. The same POST method is used to create the two sessions with different values for the parameter token_type

curl -X POST {OAUTH_URL}/v1/oauth/token/{token_type}      
-d '{                         
        "grant_type":"authorization_code", 
        "code":"exxxx69660xxxxa6413c17d897xxxxx99", 
        "redirect_uri":"{client_redirect_url}",        
        "client_id":"{client_id}",                              
        "client_secret":"{client_secret}"                        
        }' 

getAccessToken

POST

The token_type can be of two values user session or company session. If the authorization request was for the company session creation then the token_type value is for the company or if the authorization request was for the user session creation then the toke_type value is for the user.

Path Parameters

NameTypeDescription

grant_type

string

Although OAuth supports different grant_type values, The value supported by Xoxoday are authorization_code and refresh_token

code

string

This is an authorization code value that you obtained in response to the previous step.

redirect_uri

string

The URL must match the URL you have shared in the registration.

client_id

string

This is the client_id value that you received after the client registration

client_secret

string

This is the client_secret value that you received after the client registration

{ 
"access_token": 
"eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaX 
 NzdWVkQXQiOjE1NTk4MDQ1NTAxMzYsImV4cGlyZXNBdCI6IjIwMTktMDctMDZUMDc6MDI6MzAuM 
 TM2WiIsInRva2VuX3R5cGUiOiJDT01QQU5ZIn0sImFfdCI6ImY3ZWM1MWMyYmE0ZGNmNzY2ZWE0 
 ZDExMTI3ZjEzZjQzZjAwZmNhN2EifQ==", 
"token_type": "bearer", 
"expires_in": 2592000, 
"refresh_token": "064be187f42e9238122ef9d7a985c8800dff3752", 
"email":"email@example.com" 
//email will only be in the response of company session generation 
} 

In the above response

access_token is the bearer token that can be used by the client to access the API of xoxoday.

token_type is a bearer that must be passed in the Authorization header. expires_in is the duration (in seconds) for which access_token is valid.

User access_tocken and refresh_token:

  • The user access_token is generated based on the company access token.

  • The default user session lasts for 15 days. refresh_token is the value with which the client can regenerate the expired access_token.For the user session, therefresh_token lasts for 30 days.

Company access_token and refresh token:

  • The default company session lasts for 30 days. refresh_token is the value with which the client can regenerate expired access_token. This refresh_token for the company, the session lasts for 60 days.

Last updated