Token Endpoint
curl --request POST \
--url https://api.headlesscommerce.io/v1/oauth/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'client_id=<string>' \
--data 'code=<string>' \
--data 'redirect_uri=<string>' \
--data 'code_verifier=<string>' \
--data 'refresh_token=<string>'{
"access_token": "<string>",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<string>",
"scope": "<string>"
}OAuth 2.1
Token Endpoint
Exchanges an authorization code for tokens, or refreshes an existing token.
Authorization Code grant (grant_type=authorization_code):
- Requires
code,client_id,redirect_uri, andcode_verifier(PKCE). - Returns
access_token(1 hour TTL) andrefresh_token(30 day TTL).
Refresh Token grant (grant_type=refresh_token):
- Requires
refresh_tokenandclient_id. - Returns a new access token and rotated refresh token.
POST
/
oauth
/
token
Token Endpoint
curl --request POST \
--url https://api.headlesscommerce.io/v1/oauth/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'client_id=<string>' \
--data 'code=<string>' \
--data 'redirect_uri=<string>' \
--data 'code_verifier=<string>' \
--data 'refresh_token=<string>'{
"access_token": "<string>",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "<string>",
"scope": "<string>"
}Body
application/x-www-form-urlencoded
Available options:
authorization_code, refresh_token Authorization code (for authorization_code grant)
Must match the URI used in /oauth/authorize
PKCE code verifier (for authorization_code grant)
Refresh token (for refresh_token grant)
⌘I