Developer Preview - This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.
Retrieves access and refresh tokens that a Wix OAuth app can use to make API calls on behalf of a site visitor.
This endpoint accepts requests with both application/json and application/x-www-form-urlencoded content types. The parameter names are the same for both content types.
The endpoint supports several grantType flows for obtaining tokens. Each flow has its own set of required fields.
Here are the supported flows with their required fields:
| Grant Type | Description | Required Fields |
|---|---|---|
authorization_code | Used to obtain access and refresh tokens for an authenticated visitor after obtaining an authorization code. | redirectUricodecodeVerifier |
refresh_token | Used to obtain an access token using a refresh token after the previous one expires. | refreshToken |
anonymous | Used to obtain access and refresh tokens for an unauthenticated site visitor. | N/A |
| Name | Type | Description |
|---|---|---|
clientId | string | Required: ID of the Wix OAuth app requesting authorization. |
grantType | string | Type of request flow. Supported values: - authorization_code - refresh_token - urn:ietf:params:oauth:grant-type:device_code- anonymous |
refreshToken | string | Refresh token. Required when using the refresh_token grant type. |
redirectUri | string | Redirect URI that passed to the redirect API when requesting an authorization code. Used to verify that the authentication and token requests are from the same source. Required when using the authorization_code grant type. |
code | string | Authorization code. Retrieved using the redirect API. Required when using the authorization_code grant type. |
codeVerifier | string | Code for PKCE verification. This is the encrypted version of the codeChallenge that was sent using the redirect API. Required when using the authorization_code grant type. |
If a request succeeds, the server returns an HTTP 200 status code with an application/json content type. The response body is a JSON object with the following fields:
| Name | Type | Description |
|---|---|---|
access_token | string | Access token. |
expires_in | integer | Number of seconds until the token expires. |
token_type | string | Token type. Only Bearer is supported. |
refresh_token | string | Refresh token. |
There are two types of error responses:
If the request includes an invalid redirectUri parameter, the server returns an HTTP 302 status code and redirects the request back to the client. The redirect URL contains a fragment with an error key and one of the following values:
| Error Message | Description |
|---|---|
invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. |
unauthorized_client | The client is not authorized to request an access token using this method. |
access_denied | The request was denied. |
server_error | The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.) |
temporarily_unavailable | The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.) |
If the request is invalid for any other reason, the server returns an HTTP 400 status code with an application/json content type. The response body is a JSON object with an error key and one of the following values:
| Error Message | Description |
|---|---|
invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. |
invalid_client | Client authentication failed. |
invalid_grant | The provided authorization code or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. |
unauthorized_client | The authenticated client is not authorized to use this authorization grant type. |
unsupported_grant_type | The authorization grant type is not supported by the authorization server. |
All examples use the application/json content type.
Request:
Response
Request:
Response
Request:
Response