📋JSON Templates

OAuth Token Response

OAuth 2.0 token endpoint response structure.

Explanation

Standard OAuth token response includes access token, type, expiration, and optional refresh token.

Examples

Success Response
Output
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "def50200abc...",
  "scope": "read write"
}
Error Response
Output
{
  "error": "invalid_grant",
  "error_description": "The provided authorization grant is invalid, expired, or revoked"
}

Code Examples

TypeScript 
interface OAuthTokenResponse {
  access_token: string;
  token_type: 'Bearer';
  expires_in: number;
  refresh_token?: string;
  scope?: string;
}

interface OAuthErrorResponse {
  error: string;
  error_description?: string;
  error_uri?: string;
}

// Exchange authorization code for token
async function getAccessToken(code: string) {
  const response = await fetch('https://oauth.example.com/token', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: new URLSearchParams({
      grant_type: 'authorization_code',
      code,
      client_id: 'your-client-id',
      client_secret: 'your-client-secret',
      redirect_uri: 'https://yourapp.com/callback'
    })
  });
  
  return response.json();
}

Try it Now

Open in JSON Formatter Open in JWT Decoder

💡 Tips

  • Store tokens securely (httpOnly cookies or secure storage)
  • Refresh tokens before expiration
  • Use PKCE for public clients
  • Validate token type is "Bearer"
  • Implement token refresh flow

⚠️ Common Pitfalls

  • Never expose access tokens in URLs
  • Don't store in localStorage (XSS risk)
  • Refresh tokens are long-lived - protect them
  • Check expires_in and refresh proactively
← Back to All Templates