# Token Creation & Token Management
In this step as per OAuth protocol, the code received by the client in the [authorization](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/api-endpoints/authorization) step will be exchanged to get the access\_token which is used for accessing the Xoxoday storefront granted based on the scopes allowed by the user.
## **Access Token Generation**
{% tabs %}
{% tab title="Request" %}
> > The client server (As this request involves sensitive information i.e, client\_secret) must make the following POST request to get the access\_token.
```
curl -X POST {OAUTH_URL}/v1/oauth/token/company
-d '{
"grant_type":"authorization_code",
"code":"exxxx69660xxxxa6413c17d897xxxxx99",
"redirect_uri":"{client_redirect_url}",
"client_id":"{client_id}",
"client_secret":"{client_secret}"
}
```
{% endtab %}
{% tab title="Response" %}
> After validation of these parameters by Xoxoday server the successful response will be :
```
{
"access_token": "eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1NTAxMzYsImV4cGlyZXNBdCI6IjIwMTktMDctMDZUMDc6MDI6MzAuMTM2WiIsInRva2VuX3R5cGUiOiJDT01QQU5ZIn0sImFfdCI6ImY3ZWM1MWMyYmE0ZGNmNzY2ZWE0ZDExMTI3ZjEzZjQzZjAwZmNhN2EifQ==",
"token_type": "bearer",
"expires_in": 2592000,
"refresh_token": "064be187f42e9238122ef9d7a985c8800dff3752",
"email":"email@example.com" //This is the email of the user who allowed access
}
```
{% endtab %}
{% endtabs %}
## `Parameters`
{% tabs %}
{% tab title="Request" %}
#### `Body Parameters`
| `Parameters` | `Description` |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `token_type*` | `The token_type can be two values. They are company or user. If the request in the` [`authorization`](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/api-endpoints/authorization)`step was for the company session creation then token_type value is the company or if the request in the step was for user session creation then token_type value is the user.` |
| `grant_type*` | `Although Oauth supports different grant_type values. The values supported by Xoxoday is authorization_code, refresh_token.` |
| `code*` | `Authorization codes expires in 5 mins after creation. This is the temporary code value which client has obtained after` [`authorization`](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/api-endpoints/authorization)`.` |
| `client_id*` | `This is the client_id value that one receives upon registration in`[`Getting Started`](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/getting-started) `step.` |
| `redirect_uri*` | `The URL must match what you have shared during the time of` [`company registration`](https://xoxoday.gitbook.io/plum/developer-resources/getting-started#step-1-company-registration)`.` |
| `client_secret*` | `This is the client_secret value that one receives upon registration in` [`Getting Started`](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/getting-started) `step.` |
| {% endtab %} | |
{% tab title="Response" %}
#### `Body Parameters`
| `Parameters` | `Type` | `Description` |
| --------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `access_token` | `Bearer` | `It can be used by client to access the API of xoxoday.` |
| `token_type` | `Bearer` | `It must be passed in the Authorization header.` |
| `expires_in` | | `The duration (in seconds) for which access_token is valid. The default user session lasts for 15 days. The default company session lasts for 30 days.` |
| `refresh_token` | `Bearer` | `The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.` |
| {% endtab %} | | |
| {% endtabs %} | | |
#### **Diagrammatic Representation for** [**Authorization**](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/api-endpoints/authorization) **&** [**Access Token generation**](#access-token-generation)**.**
## **Access Token generation from Refresh Token**
{% tabs %}
{% tab title="Request" %}
> > Upon Expiry the access token can be regenrated using the response token using the following request**:**
```
curl -X POST {OAUTH_URL}/v1/oauth/token/company
-d '{
"grant_type":"refresh_token",
"refresh_token":"064be187f42e9238122ef9d7a985c8800dff3752",
"client_id":"xxxxxxxxxxxxxxxxxxxxxxxxxxx",
"client_secret":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
```
{% endtab %}
{% tab title="Response" %}
> After validation of these parameters by Xoxoday server the successful response will be :
```
{
"access_token": "eysdkhsdbjbdfsNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1NTAxMzYsImV4cGlyZXNBdCI6IjIwMTktMDctMDZUMDc6MDI6MzAuMTM2WiIsInRva2VuX3R5cGUiOiJDT01QQU5ZIn0sImFfdCI6ImY3ZWM1MWMyYmE0ZGNmNzY2ZWE0ZDExMTI3ZjEzZjQzZjAwZmNhsdjhfbsfdjblfs",
"token_type": "bearer",
"expires_in": 2592000,
"refresh_token": "sdff064be187f42e9238122ef9d7a985c8800dff3752"
}
```
{% endtab %}
{% endtabs %}
## `Parameters`
{% tabs %}
{% tab title="Request" %}
#### `Body Parameters`
| `Parameters` | `Description` |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `grant_type*` | `Although Oauth supports different grant_type values. The values supported by Xoxoday is authorization_code, refresh_token.` |
| `client_id*` | `This is the client_id value that one receives upon registration in`[`Getting Started`](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/getting-started) `step.` |
| `client_secret*` | `This is the client_secret value that one receives upon registration in` [`Getting Started`](https://xoxoday.gitbook.io/plum/developer-resources/storefront-integration/getting-started) `step.` |
| `refresh_token*` | `The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.` |
| {% endtab %} | |
{% tab title="Response" %}
#### `Body Parameters`
| `Parameters` | `Type` | `Description` |
| --------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `access_token` | `Bearer` | `It can be used by client to access the API of xoxoday.` |
| `token_type` | `Bearer` | `It must be passed in the Authorization header.` |
| `expires_in` | | `The duration (in seconds) for which access_token is valid. The default user session lasts for 15 days. The default company session lasts for 30 days.` |
| `refresh_token` | `Bearer` | `The value with which client can regenerate expired access_token. This refresh token for the user session lasts for 30 days and refresh token for company session lasts for 60 days.` |
| {% endtab %} | | |
| {% endtabs %} | | |
{% hint style="info" %}
Note In the above response refresh\_token is newly generated again. So the client-server must replace the old refresh token with this new refresh token.
{% endhint %}
{% hint style="info" %}
While the expiry is 30 days for the access\_token and 60 days for the refresh\_token, Xoxoday recommends polling the [Access Token generation from Refresh Token](#access-token-generation-from-refresh-token) API on every 4xx error to ensure no downtime in case of a token invalidation before the 30-day expiry.
{% endhint %}
#### **Diagrammatic Representation for** [**Access Token regeneration**](#access-token-generation-from-refresh-token)**.**
## **Access Token Validation**
{% tabs %}
{% tab title="Request" %}
> For verifying at any point in the app if the token is valid/not, call below endpoint.
```
curl -X GET {OAUTH_URL}/v1/oauth/token
-H 'Authorization: Bearer eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1Nzg1ODIsImV4cGlyZXNBdCI6IjIwMTktMDYtMjFUMDc6MDI6NTguNTgyWiIsInRva2VuX3R5cGUiOiJ'
```
{% endtab %}
{% tab title="Response" %}
`200: Success`
```
{
"access_token": "eyJ0b2tlbkNvbnRlbnQiOnsiaXNzdWVkRm9yIjoiRnJlc2h3b3JrcyIsInNjb3BlIjoiIiwiaXNzdWVkQXQiOjE1NTk4MDQ1Nzg1ODIsImV4cGlyZXNBdCI6IjIwMTktMDYtMjFUMDc6MDI6NTguNTgyWiIsInRva2VuX3R5cGUiOiJ",
"token_type": "bearer",
"expires_in": 1291911023
}
```
`400: Failure`
`Token has expired.`
```
{
"error": "invalid_token",
"error_description": "invalid/expired token"
}
```
{% endtab %}
{% endtabs %}
