Once you have an authorization code you can request an Access Token to use with our API endpoints.
After successfully completing the Authorization flow, the user will be returned to your App along with a code
parameter you can use to request an Access Token.
You will make a POST
request to our https://app.usecanopy.com/oauth2/token
endpoint. While the previous steps were all taken in the user’s browser, this and future requests will typically be made from your backend servers.
Request Parameters
Your
POST
request body should beapplication/x-www-form-urlencoded
encoded.
Parameter | Description | Type |
---|---|---|
client_id | The Client ID you were assigned when Creating Your App. | Required |
client_secret | The Client Secret you were assigned when Creating Your App. | Required |
code | The code you received during the Authorization flow. | Required |
code_verifier | The PKCE Code Verifier you generated during the Authorization flow. | Required |
grant_type | This must be set to authorization_code . | Required |
redirect_uri | This must match the value used during the Authorization flow. | Required |
Response Parameters
Success
If the token request is successful the response body will contain a JSON object with the following properties:
Property | Description |
---|---|
access_token | The Access Token you can use to authenticate when Making API Requests. |
expires_in | The number of seconds before the Access Token expires. |
refresh_token | A Refresh Token you can use to request a new Access Token when it has expired. |
team_id | The ID of the Canopy Connect Team your App is authorized to make requests for. |
token_type | The Access Token type, which will always be bearer . |
The
access_token
andrefresh_token
values are encoded as JSON Web Tokens. You can decode them and check theexp
value to get the precise time that they will expire. The rest of the JWT payload is subject to change and you should not rely on any of the values.
Failure
If there is an issue with your token request we will return a 400 Bad Request
response with a JSON object containing an error
code and possible error_description
value. This indicates a problem with your request which you will need to investigate before proceeding.
Your App should also handle 5xx
error responses if there is an issue with our service at the time of your request. This indicates a temporary issue and your request can be retried, but please note that the Authorization code
has a short expiry window after which you will need to restart the OAuth flow to obtain a new code
.