--- title: Token endpoint description: The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed. component: pingfederate version: 13.1 page_id: pingfederate:developers_reference_guide:pf_token_endpoint canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_token_endpoint.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: June 3, 2024 section_ids: endpoint-astoken-oauth2: "Endpoint: /as/token.oauth2" oauth-client-identification-and-authentication: OAuth client identification and authentication oauth-access-token-management-parameters: OAuth access token management parameters example: Example example-a-partial-match: Example - A partial match --- # Token endpoint The client presents its authorization grant to the token endpoint to obtain an access token and a refresh token when needed. [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749/) defines the token endpoint. Because the authorization endpoint directly issues an access token, every authorization grant uses this endpoint except the Implicit grant type. | | | | - | ------------------------------------------------ | | | This endpoint accepts only the HTTP POST method. | ## Endpoint: /as/token.oauth2 Parameters vary depending on the grant type. For more information, see [OAuth grant type parameters](pf_oauth_grant_type_param.html). The required `Content-Type` value is `application/x-www-form-urlencoded`. Like other OAuth 2.0 endpoints, the token endpoint is accessible at the base URL and any configured virtual host names. If the **Token Endpoint Base URL** field is configured on the **Authorization Server Settings** window (**System > OAuth Settings > Authorization Server Settings**) the token endpoint is also accessible at that location. For example, if the base URL is https\://www\.example.com:9031 and the **Token Endpoint Base URL** value is https\://www\.example.local:9031, the token endpoints are accessible at the following locations: * https\://www\.example.com:9031/as/token.oauth2 * https\://www\.example.local:9031/as/token.oauth2 ## OAuth client identification and authentication The authentication requirement of this endpoint depends on the client authentication method configured for the clients. | Authentication method | Parameters | | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Client secret | Clients can present their client identifier and client secret using the HTTP Basic authentication scheme, where the client identifier is the username, and the client secret is the password.Clients can provide credentials using the request parameters `client_id` and `client_secret`. This is a sensitive parameter. To avoid recording it in web server logs, only pass in this parameter with the HTTP POST method in the message body, or through the HTTP Basic authentication scheme. | | Client certificate | Clients must present their client certificate for mutual TLS authentication. The issuer and the subject distinguished name (DN) of the client certificate must match values configured for the clients. | | Private key JWT or Client Secret JWT | Clients must include request parameters `client_assertion_type` and `client_assertion` in the message body of their requests.- `client_assertion_type` The value describes the format of the assertion as defined by the authorization server. For the private\_key\_jwt and client\_secret\_jwt client authentication methods, the value is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. - `client_assertion` The value is the authentication token.**Example**``` ... client_assertion_type= urn%3Aietf%3Aparams%3Aoauth% 3Aclient-assertion-type%3Ajwt-bearer& client_assertion= eyJhbGciOiJSUzI1NiIs...LbSWi1YO-TILOd4L7ZCg& ... ``` For readability, line breaks are inserted and the authentication token is truncated.Learn more about the private\_key\_jwt and client\_secret\_jwt client authentication methods in [Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) and [Using Assertions for Client Authentication](https://datatracker.ietf.org/doc/html/rfc7521/#autoid-7). | | None | Clients must pass in the `client_id` parameter in a query string or the message body to identify themselves. | ## OAuth access token management parameters PingFederate supports multiple access token management (ATM) instances. Clients can specify an ATM instance by providing the ATM ID (`access_token_manager_id`) or a resource URI (`aud` or `resource`) in their requests to the PingFederate OAuth AS. | Parameter | Description | | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `access_token_manager_id` | The `access_token_manager_id` value is the instance ID of the desired ATM instance. When specified, PingFederate uses the desired ATM instance for the request if it is eligible; otherwise it aborts the request. When the access\_token\_manager\_id parameter is specified, PingFederate ignores the aud and resource parameter. When the aud parameter is specified, PingFederate ignores the resource parameter. | | `aud` | The `aud` is the resource URI the client wants to access. The provided value is matched against resource URIs configured in access token management instances. When a match is found, PingFederate uses the corresponding access token management instance for the request if it is eligible; otherwise it aborts the request. | | `resource` | The `resource` is the resource URI that the wants to access. The provided value is matched against resource URIs configures in access token management instances. When a match is found, PingFederate uses the corresponding access token management instance for the request if it is elligible. Otherwise it aborts the request.If multiple resource parameters are requested, they must match to a single access token management instance. Otherwise PingFederate aborts the request. | A match can be an exact match or a partial match where the provided URI has the same scheme and authority parts and a more specific path contained within the path of the pre-configured resource URI. PingFederate takes an exact match over a partial match. If there are multiple partial matches, PingFederate takes the partial match where the provided URI matches more specifically against the pre-configured resource URI. ## Example ## Example - A partial match A resource URI of `https://app.example.local` is a partial match for the following provided URIs: * https\://app.example.local/file1.ext * https\://app.example.local/path/file2.ext * https\://app.example.local/path/more