🎉 Unlimited Free KYC - Forever!!

Auth + Data
Sign in API Reference
Token

OIDC Token Endpoint

The token endpoint is used to exchange an authorization code for an access token and an ID token for the authenticated user.

  • Base URL: https://apx.didit.me
  • Endpoint: /auth/v2/token
  • Method: POST
  • Authentication: Basic Auth (Client ID and Client Secret)

Request

Headers

  • Authorization: Basic {base64(client_id:client_secret)}
  • Content-Type: application/x-www-form-urlencoded

Body Parameters

  • code (required): The authorization code received from the /authorize endpoint.
  • grant_type (required): Must be set to authorization_code.
  • redirect_uri (required): The same redirect URI used in the /authorize request.

Example Request

POST /auth/v2/token HTTP/1.1
Host: apx.didit.me
Authorization: Basic {base64(client_id:client_secret)}
Content-Type: application/x-www-form-urlencoded
 
code=authorization_code_here&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fyour-app.com%2Fcallback

Response

Returns a JSON object containing the access token, ID token, and related information.

Example Response

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3a1...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "openid profile email",
    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Imp3a1...",
    // if `offline` scope is included
    "refresh_token": "eyJhbGciOiJSU..."
}

Response Fields

  • access_token: The access token for making authenticated requests.
  • token_type: The type of token, always "Bearer".
  • expires_in: The lifetime of the access token in seconds.
  • scope: The scopes granted for this token.
  • id_token: The ID token containing claims about the authentication of the user.
  • refresh_token: The refresh token used to obtain a new access token when the current one expires.

Error Responses

Errors are returned as JSON objects with an error field and optionally an error_description field.

Common Errors

  • invalid_request: The request is missing a required parameter or is otherwise malformed.
  • invalid_client: Client authentication failed.
  • invalid_grant: The authorization code is invalid, expired, or has already been used.
  • unauthorized_client: The client is not authorized to use the grant type.
  • unsupported_grant_type: The grant type is not supported by the authorization server.
  • invalid_scope: The requested scope is invalid or unknown.

Example Error Response

{
    "error": "invalid_grant",
    "error_description": "The authorization code was invalid or has expired."
}

Code Example

const exchangeCodeForTokens = async (code, redirectUri) => {
  const tokenEndpoint = 'https://apx.didit.me/auth/v2/token';
  const clientId = 'your_client_id';
  const clientSecret = 'your_client_secret';
 
  const params = new URLSearchParams();
  params.append('code', code);
  params.append('grant_type', 'authorization_code');
  params.append('redirect_uri', redirectUri);
 
  try {
    const response = await fetch(tokenEndpoint, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Authorization': 'Basic ' + btoa(clientId + ':' + clientSecret)
      },
      body: params
    });
 
    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(errorData.error_description || 'Failed to exchange code for tokens');
    }
 
    const data = await response.json();
    return data;
  } catch (error) {
    console.error('Error exchanging code for tokens:', error);
    throw error;
  }
};
⚠️

Always use HTTPS when calling this endpoint to protect the authorization code and client credentials. Store client secrets securely and never expose them in client-side code.

AuthorizeGet User Info