Exchanges a temporary OAuth verifier code for an access token.

Optional Params

• client_id - Issued when you created your application. If possible, avoid sending client_id and client_secret as parameters in your request and instead supply the Client ID and Client Secret using the HTTP Basic authentication scheme. If at all possible, avoid sending client_id and client_secret as parameters in your request. ex: 2141029472.691202649728
• client_secret - Issued when you created your application. If possible, avoid sending client_id and client_secret as parameters in your request and instead supply the Client ID and Client Secret using the HTTP Basic authentication scheme. If at all possible, avoid sending client_id and client_secret as parameters in your request. ex: e1b9e11dfcd19c1982d5de12921e17e8c
• code - The code param returned via the OAuth callback. ex: 4724469134.4644010092847.232b4e6d82c333b475fc30f5f5a341d294feb1a94392c2fd791f7ab7731a443d1a
• code_verifier - The code_verifier param used to generate the code_challenge originally. Used for PKCE. ex: secret12345
• grant_type - The grant_type param as described in the OAuth spec. ex: authorization_code
• redirect_uri - This must match the originally submitted URI (if one was sent). ex: http://example.com
• refresh_token - The refresh_token param as described in the OAuth spec. ex: xoxe-1-abcdefg

Errors the API can return:

• bad_client_secret - Value passed for client_secret was invalid.
• bad_redirect_uri - Value passed for redirect_uri did not match the redirect_uri in the original request.
• cannot_install_an_org_installed_app - Returned when the the org-installed app cannot be installed on a workspace.
• invalid_client_id - Value passed for client_id was invalid.
• invalid_code - Value passed for code was invalid.
• invalid_code_verifier - The code_verifier is invalid.
• invalid_grant_type - Value passed for grant_type was invalid.
• invalid_refresh_token - The given refresh token is invalid.
• no_scopes - Missing scope in the request.
• oauth_authorization_url_mismatch - The OAuth flow was initiated on an incorrect version of the authorization url. The flow must be initiated via /oauth/v2/authorize.
• pkce_not_allowed - The app is not allowed to use the PKCE flow.
• preview_feature_not_available - Returned when the API method is not yet available on the team in context.
• user_email_unverified - The users email is unverified.

See the Common Errors guide for errors returned by every Web API method.

Exchanges a legacy access token for a new expiring access token and refresh token

Required Params

• client_id - Issued when you created your application. ex: 4123121235.9872358710
• client_secret - Issued when you created your application. ex: e1b9e11dfcd19c1982d5de12921e17e8c

Errors the API can return:

• authorization_not_found - The underlying authorization for this token was revoked or is invalid.
• bad_client_secret - Value passed for client_secret was invalid.
• invalid_client_id - Value passed for client_id was invalid.
• invalid_token - The legacy token provided cannot be exchanged for a new pair of token credentials.
• token_already_exchanged - This token has already been exchanged for a pair of token credentials.
• token_rotation_not_enabled - The app does not have token rotation enabled.

See the Common Errors guide for errors returned by every Web API method.