Skip to content
Duende Software Docs
Trouble with OAuth 2.0 in the browser? Watch Web Security and BFF with Philippe De Ryck.

Token Endpoint

The token endpoint can be used to programmatically request tokens.

Duende IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 token request parameters. For a full list, see here.

Required Parameters

Section titled “Required Parameters”

  • client_id

    client identifier; not necessary in body if it is present in the authorization header

  • grant_type

    • authorization_code

    • client_credentials

    • password

    • refresh_token

    • urn:ietf:params:oauth:grant-type:device_code

    • extension grant

Optional Parameters

Section titled “Optional Parameters”

  • client_secret

    client secret for confidential/credentials clients - either in the post body, or as a basic authentication header.

  • scope

    one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.

  • redirect_uri

    required for the authorization_code grant type

  • code

    the authorization code (required for authorization_code grant type)

  • code_verifier

    PKCE proof key

  • username

    resource owner username (required for password grant type)

  • password

    resource owner password (required for password grant type)

  • acr_values

    allows passing in additional authentication related information. Duende IdentityServer special cases the following proprietary acr_values

    • tenant:name_of_tenant

      can be used to pass a tenant name to the token endpoint

  • refresh_token

    the refresh token (required for refresh_token grant type)

  • device_code

    the device code (required for urn:ietf:params:oauth:grant-type:device_code grant type)

  • auth_req_id

    the backchannel authentication request id (required for urn:openid:params:grant-type:ciba grant type)

POST /connect/token
CONTENT-TYPE application/x-www-form-urlencoded


    client_id=client1&
    client_secret=secret&
    grant_type=authorization_code&
    code=hdh922&
    redirect_uri=https://myapp.com/callback

.NET Client Library

Section titled “.NET Client Library”

You can use the Duende IdentityModel client library to programmatically interact with the protocol endpoint from .NET code.

using Duende.IdentityModel.Client;


var client = new HttpClient();


var response = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
    Address = TokenEndpoint,


    ClientId = "client",
    ClientSecret = "secret",


    Code = "...",
    CodeVerifier = "...",
    RedirectUri = "https://app.com/callback"
});