Token Exchange
The token exchange involves the creation of tokens for company sessions and user sessions.
In this step as per Oauth protocol, the code received by you in the authorization request will be exchanged to get the access_token
which is used for accessing xoxoday resources granted based on the scopes allowed by the user.
User sessions should be created within a company session. Hence after authorization creates the company session followed by the user session.
As this request involves sensitive information i.e, client_secret, your server must make the following POST request to get the access_token
The following POST request should be used to create the sessions. The same POST method is used to create the two sessions with different values for the parameter token_type
getAccessToken
POST
The token_type
can be of two values user session or company session. If the authorization request was for the company session creation then the token_type value is for the company or if the authorization request was for the user session creation then the toke_type
value is for the user.
Path Parameters
Name | Type | Description |
---|---|---|
grant_type | string | Although OAuth supports different grant_type values, The value supported by Xoxoday are authorization_code and refresh_token |
code | string | This is an authorization code value that you obtained in response to the previous step. |
redirect_uri | string | The URL must match the URL you have shared in the registration. |
client_id | string | This is the client_id value that you received after the client registration |
client_secret | string | This is the client_secret value that you received after the client registration |
In the above response
access_token
is the bearer token that can be used by the client to access the API of xoxoday.
token_type
is a bearer that must be passed in the Authorization header. expires_in is the duration (in seconds) for which access_token is valid.
User access_tocken and refresh_token:
The user
access_token
is generated based on the company access token.The default user session lasts for 15 days.
refresh_token
is the value with which the client can regenerate the expiredaccess_token
.For the user session, therefresh_token
lasts for 30 days.
Company access_token and refresh token:
The default company session lasts for 30 days.
refresh_token
is the value with which the client can regenerate expiredaccess_token
. Thisrefresh_token
for the company, the session lasts for 60 days.
Last updated