OAuth 2.0 - Obtaining an Access Token

An access token is a string that identifies a user, an application, or a page. The token includes information such as when the token will expire and which app created that token.

  • First, it is necessary to acquire OAuth 2.0 client credentials from API console.

  • Then, the access token is requested from the authorization server by the client.

  • It gets an access token from the response and sends the token to the API that you wish to access.

You must send the user to the authorization endpoint at the beginning. Following is an example of a dummy request


Following are the parameters and their descriptions.

  • client_id − It should be set to the client id of your application.

  • redirect_uri − It should be set to the URL. After the request is authorized, the user will be redirected back.

  • response_type − It can either be a code or a token. The code must be used for server side applications, whereas the token must be used for client side applications. In server side applications, you can make sure that the secrets are saved safely.

Following table lists the concepts of Client Credentials.

Sr.No. Concept & Description
1 Authorization Code

The authorization code allows accessing the authorization request and grants access to the client application to fetch the owner resources.

2 Resource Owner Password Credentials

The resource owner password credentials include only one request and one response, and is useful where the resource owner has a good relationship with the client.

3 Assertion

Assertion is a package of information that makes the sharing of identity and security information across various security domains possible.

4 Refresh Token

The refresh tokens are used to acquire a new access tokens, which carries the information necessary to get a new access token.

5 Access Token Response

Access token is a type of token that is assigned by the authorization server.

6 Access Token Error Response Codes

If the token access request, which is issued by the authorization server is invalid or unauthorized, then the authorization server returns an error response.