CreateOAuth2Token API

Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both: 1.

Authorization code redemption (grant_type=authorization_code) - NOT idempotent

2. Token refresh (grant_type=refresh_token) - Idempotent within token validity window

The operation behavior is determined by the grant_type parameter in the request body:

authorization-code-flow-not-idempotent

Authorization Code Flow (NOT Idempotent):

• JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier
• Returns access_token, token_type, expires_in, refresh_token, and id_token
• Each authorization code can only be used ONCE for security (prevents replay attacks)

token-refresh-flow-idempotent

Token Refresh Flow (Idempotent):

• JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token
• Returns access_token, token_type, expires_in, and refresh_token (no id_token)
• Multiple calls with same refresh_token return consistent results within validity window

Authentication and authorization:

• Confidential clients: sigv4 signing required with signin:ExchangeToken permissions
• CLI clients (public): authn/authz skipped based on client_id & grant_type

Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.

Delete console authorization configuration with automatic scope detection

Remove a permission statement from the account's SignIn resource-based policy

Get console authorization configuration with automatic scope detection

Retrieve the account's consolidated SignIn resource-based policy

Retrieve all permission statements in the account's SignIn resource-based policy

Enable console authorization configuration with automatic scope detection

Create a permission statement in the account's SignIn resource-based policy