> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endaoment.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Get access token

> Exchanges an OAuth 2.0 authorization code (Authorization Code + PKCE flow) or refresh token for an Endaoment access token.

This endpoint lives on the Endaoment **auth server** (`{AUTH_URL}/token`), not the API server. Call it from your backend only—never from browser or mobile client code.

For the authorize redirect that produces the `code`, send users to `{AUTH_URL}/auth` with your registered `client_id`, `redirect_uri`, PKCE params, and scopes.



## OpenAPI

````yaml https://api.endaoment.org/oas-json post /token
openapi: 3.0.0
info:
  title: Endaoment API
  description: >-
    The official Endaoment API endpoints. Dev (canary) = newest features;
    Staging (stable) = pre-production.
  version: 0.0.0-dev
  contact: {}
servers:
  - url: https://api.endaoment.org
    description: Production
security: []
tags:
  - name: Partner Endpoints
    description: Tech-platform partner server-to-server APIs
  - name: Authentication
    description: OAuth callers, API keys, and session verification
  - name: Funds
    description: Donor-advised fund lifecycle
  - name: Donations
    description: Donation pledges, supported assets, and impact totals
  - name: Portfolios
    description: Investment portfolio catalog
  - name: Nonprofit Organizations
    description: Nonprofit lookup, subprojects, and missing-org intake
  - name: Grant Transfers
    description: Grant and entity transfers
  - name: Collaboration
    description: Collaborator recommendations and fund collaboration
  - name: Activity
    description: Public and scoped activity feeds
paths:
  /token:
    servers:
      - url: https://auth.endaoment.org
        description: Production
      - url: https://auth.dev.endaoment.org
        description: Development
      - url: https://auth.staging.endaoment.org
        description: Staging
    post:
      tags:
        - Authentication
      summary: Get access token
      description: >-
        Exchanges an OAuth 2.0 authorization code (Authorization Code + PKCE
        flow) or refresh token for an Endaoment access token.


        This endpoint lives on the Endaoment **auth server**
        (`{AUTH_URL}/token`), not the API server. Call it from your backend
        only—never from browser or mobile client code.


        For the authorize redirect that produces the `code`, send users to
        `{AUTH_URL}/auth` with your registered `client_id`, `redirect_uri`, PKCE
        params, and scopes.
      operationId: OAuthController_token
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/OAuthTokenRequestDto'
      responses:
        '200':
          description: Access token issued
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthTokenResponseDto'
        '400':
          description: Invalid grant, redirect URI mismatch, or malformed request
        '401':
          description: Invalid client credentials
      security:
        - OAuthClientCredentials: []
components:
  schemas:
    OAuthTokenRequestDto:
      oneOf:
        - type: object
          required:
            - grant_type
            - code
            - redirect_uri
            - code_verifier
          properties:
            grant_type:
              type: string
              enum:
                - authorization_code
            code:
              type: string
              description: Authorization code from `/auth` callback.
            redirect_uri:
              type: string
              format: uri
            code_verifier:
              type: string
              description: PKCE code verifier.
            client_id:
              type: string
            client_secret:
              type: string
        - type: object
          required:
            - grant_type
            - refresh_token
          properties:
            grant_type:
              type: string
              enum:
                - refresh_token
            refresh_token:
              type: string
            client_id:
              type: string
            client_secret:
              type: string
    OAuthTokenResponseDto:
      type: object
      properties:
        access_token:
          type: string
        token_type:
          type: string
          example: Bearer
        expires_in:
          type: integer
        refresh_token:
          type: string
        scope:
          type: string
        id_token:
          type: string
  securitySchemes:
    OAuthClientCredentials:
      type: http
      scheme: basic
      description: OAuth client ID and secret as HTTP Basic credentials.

````