Exchange credentials for an access token. This is the OAuth 2.0 token endpoint.
Supported Grant Types:
authorization_code: Exchange an authorization code for an access tokenauthorization_code+ PKCE: For public clients without a client secretclient_credentials: Authenticate as your application (server-to-server)
PKCE Support: For public clients (mobile apps, SPAs), use PKCE:
- Generate a random
code_verifier(43-128 chars, alphanumeric +-._~) - Create
code_challenge= Base64URL(SHA256(code_verifier)) - In the authorization request to
https://www.are.na/oauth/authorize, include:code_challenge: The generated challengecode_challenge_method:S256
- When exchanging the code at this endpoint, include
code_verifier
See RFC 7636 for details.
Access tokens do not expire and can be used indefinitely. Register your application at are.na/oauth/applications to obtain client credentials.
Body Params
grant_type
enum
required
The OAuth 2.0 grant type
client_id
string
Your application's client ID (required for all grant types)
client_secret
string
Your application's client secret (required for confidential clients, omit for PKCE)
code
string
Authorization code (required for authorization_code grant)
redirect_uri
string
Redirect URI used in authorization request (required for authorization_code grant)
code_verifier
string
PKCE code verifier (required when authorization used code_challenge). Must be 43-128 characters from [A-Z], [a-z], [0-9], "-", ".", "_", "~".
POST
https://api.are.na/v3/oauth/token
access_token
string!
The access token to use for API requests
token_type
string!
Token type (always "Bearer")
Bearer
scope
string!
Granted scopes (space-separated)
created_at
integer!
Unix timestamp when the token was created