Version 6.x has been out of support since May 14, 2024, and this corresponding section of the documentation is no longer maintained. We strongly recommend you upgrade to the latest supported version of 7.x and read the latest version of this documentation.

Token Endpoint

The token endpoint can be used to programmatically request tokens.

Duende IdentityServer supports a subset of the OpenID Connect and OAuth 2.0 token request parameters. For a full list, see here.

Required parameters

  • client_id

    client identifier; not necessary in body if it is present in the authorization header

  • grant_type

    • authorization_code

    • client_credentials

    • password

    • refresh_token

    • urn:ietf:params:oauth:grant-type:device_code

    • extension grant

Optional parameters

  • client_secret

    client secret for confidential/credentials clients - either in the post body, or as a basic authentication header.

  • scope

    one or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.

  • redirect_uri

    required for the authorization_code grant type

  • code

    the authorization code (required for authorization_code grant type)

  • code_verifier

    PKCE proof key

  • username

    resource owner username (required for password grant type)

  • password

    resource owner password (required for password grant type)

  • acr_values

    allows passing in additional authentication related information. Duende IdentityServer special cases the following proprietary acr_values

    • tenant:name_of_tenant

      can be used to pass a tenant name to the token endpoint

  • refresh_token

    the refresh token (required for refresh_token grant type)

  • device_code

    the device code (required for urn:ietf:params:oauth:grant-type:device_code grant type)

  • auth_req_id

    the backchannel authentication request id (required for urn:openid:params:grant-type:ciba grant type)

POST /connect/token
CONTENT-TYPE application/x-www-form-urlencoded

    client_id=client1&
    client_secret=secret&
    grant_type=authorization_code&
    code=hdh922&
    redirect_uri=https://myapp.com/callback

.NET client library

You can use the IdentityModel client library to programmatically interact with the protocol endpoint from .NET code.

using IdentityModel.Client;

var client = new HttpClient();

var response = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
{
    Address = TokenEndpoint,

    ClientId = "client",
    ClientSecret = "secret",

    Code = "...",
    CodeVerifier = "...",
    RedirectUri = "https://app.com/callback"
});