> ## Documentation Index
> Fetch the complete documentation index at: https://docs.meteroid.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange tokens

> OAuth 2.0 token endpoint. Supports two grant types:
- `authorization_code`: Exchange an authorization code for tokens
- `refresh_token`: Refresh an access token

Authenticate via HTTP Basic auth (`client_id:client_secret`) or body parameters.



## OpenAPI

````yaml https://api.meteroid.com/api-docs/openapi.json post /api/v1/oauth/token
openapi: 3.1.0
info:
  title: meteroid
  description: ''
  license:
    name: LicenseRef-Proprietary
    identifier: LicenseRef-Proprietary
  version: 0.1.0
servers: []
security: []
tags:
  - name: Meteroid
    description: Meteroid API
  - name: Add-ons
  - name: Batch Jobs
  - name: Checkout Sessions
  - name: Connect
    description: Manage connected accounts (Express & Standard)
  - name: Coupons
  - name: Credit Notes
  - name: Customers
  - name: Entitlements
  - name: Events
  - name: Features
  - name: Invoices
  - name: Metrics
  - name: OAuth
    description: OAuth 2.0 token endpoints (public, client-credentials auth)
  - name: OAuth Apps
    description: Manage OAuth applications for Connect integrations
  - name: Plans
  - name: Product Families
  - name: Products
  - name: Subscriptions
  - name: Usage
paths:
  /api/v1/oauth/token:
    post:
      tags:
        - OAuth
      summary: Exchange tokens
      description: >-
        OAuth 2.0 token endpoint. Supports two grant types:

        - `authorization_code`: Exchange an authorization code for tokens

        - `refresh_token`: Refresh an access token


        Authenticate via HTTP Basic auth (`client_id:client_secret`) or body
        parameters.
      operationId: token_endpoint
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenRequest'
        required: true
      responses:
        '200':
          description: Token response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthErrorResponse'
        '401':
          description: Invalid client credentials
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthErrorResponse'
        '429':
          description: Too many requests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RestErrorResponse'
components:
  schemas:
    TokenRequest:
      type: object
      description: Token request (from POST body, application/x-www-form-urlencoded)
      required:
        - grant_type
      properties:
        client_id:
          type:
            - string
            - 'null'
          description: Client ID (if not using HTTP Basic auth)
        client_secret:
          type:
            - string
            - 'null'
          description: Client secret (if not using HTTP Basic auth)
        code:
          type:
            - string
            - 'null'
          description: Authorization code (for authorization_code grant)
        code_verifier:
          type:
            - string
            - 'null'
          description: PKCE code verifier (for authorization_code grant with PKCE)
        grant_type:
          type: string
          description: 'Grant type: "authorization_code" or "refresh_token"'
        redirect_uri:
          type:
            - string
            - 'null'
          description: >-
            Redirect URI (for authorization_code grant, must match the one used
            in /authorize)
        refresh_token:
          type:
            - string
            - 'null'
          description: Refresh token (for refresh_token grant)
    TokenResponse:
      type: object
      description: Token response as per OAuth 2.0 spec
      required:
        - access_token
        - token_type
        - expires_in
      properties:
        access_token:
          type: string
        expires_in:
          type: integer
          format: int64
        refresh_token:
          type:
            - string
            - 'null'
        scope:
          type:
            - string
            - 'null'
        token_type:
          type: string
    OAuthErrorResponse:
      type: object
      description: OAuth 2.0 error response as per RFC 6749 Section 5.2
      required:
        - error
      properties:
        error:
          $ref: '#/components/schemas/OAuthErrorCode'
        error_description:
          type:
            - string
            - 'null'
        error_uri:
          type:
            - string
            - 'null'
    RestErrorResponse:
      type: object
      required:
        - code
        - message
      properties:
        code:
          $ref: '#/components/schemas/ErrorCode'
        message:
          type: string
    OAuthErrorCode:
      type: string
      description: OAuth 2.0 error codes as per RFC 6749
      enum:
        - invalid_request
        - unauthorized_client
        - access_denied
        - unsupported_response_type
        - invalid_scope
        - server_error
        - temporarily_unavailable
        - invalid_grant
        - invalid_client
        - unsupported_grant_type
    ErrorCode:
      type: string
      enum:
        - BAD_REQUEST
        - NOT_FOUND
        - CONFLICT
        - FORBIDDEN
        - UNAUTHORIZED
        - TOO_MANY_REQUESTS
        - INTERNAL_SERVER_ERROR

````