OAuth · Schema

OAuth 2.0 Token Response

Schema describing the structure of a successful OAuth 2.0 access token response as defined in RFC 6749 Section 5.1. The authorization server issues an access token and optional refresh token upon a valid and authorized token request.

Access ControlAuthorizationOAuthSecurityTokens

Properties

Name Type Description
access_token string The access token issued by the authorization server.
token_type string The type of the token issued as described in RFC 6749 Section 7.1. Value is case insensitive.
expires_in integer The lifetime in seconds of the access token. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.
refresh_token string The refresh token, which can be used to obtain new access tokens using the same authorization grant.
scope string The scope of the access token as a space-delimited list of case-sensitive strings. OPTIONAL if identical to the scope requested; otherwise, REQUIRED.
View JSON Schema on GitHub

JSON Schema

oauth-token-response.json Raw ↑ 
{
  "$id": "oauth-token-response.json",
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "OAuth 2.0 Token Response",
  "description": "Schema describing the structure of a successful OAuth 2.0 access token response as defined in RFC 6749 Section 5.1. The authorization server issues an access token and optional refresh token upon a valid and authorized token request.",
  "type": "object",
  "required": [
    "access_token",
    "token_type"
  ],
  "properties": {
    "access_token": {
      "type": "string",
      "description": "The access token issued by the authorization server."
    },
    "token_type": {
      "type": "string",
      "description": "The type of the token issued as described in RFC 6749 Section 7.1. Value is case insensitive.",
      "examples": [
        "Bearer",
        "mac"
      ]
    },
    "expires_in": {
      "type": "integer",
      "description": "The lifetime in seconds of the access token. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.",
      "minimum": 0,
      "examples": [
        3600
      ]
    },
    "refresh_token": {
      "type": "string",
      "description": "The refresh token, which can be used to obtain new access tokens using the same authorization grant."
    },
    "scope": {
      "type": "string",
      "description": "The scope of the access token as a space-delimited list of case-sensitive strings. OPTIONAL if identical to the scope requested; otherwise, REQUIRED.",
      "pattern": "^[\\x21\\x23-\\x5B\\x5D-\\x7E]+(\\s[\\x21\\x23-\\x5B\\x5D-\\x7E]+)*$"
    }
  },
  "additionalProperties": true
}