Token validation
Validate an authorization grant code delivered to your app to obtain tokens, or validate an existing refresh token.
URL
POST https://appleid.apple.com/auth/tokenResponse Codes
| Status | Reason | Type | Description |
|---|---|---|---|
| 200 | OK Content-Type: application/json | TokenResponse | The request was successful. |
| 400 | Bad Request Content-Type: application/json | ErrorResponse | The server was unable to process the request. |
Mentioned in
Discussion
The validation server returns a TokenResponse object in the response body of a successful validation request. Use this endpoint to either authorize a user by validating the authorization code received by your app, or by validating an existing refresh token to verify a user session or obtain access tokens.
Validate the authorization grant code
When you send an authorization request to the validation server, include the following form data parameters:
client_idclient_secretcodegrant_typeredirect_uri
The following is an example authorization validation request URL via cURL:
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'code=CODE' \
-d 'grant_type=authorization_code' \
-d 'redirect_uri=REDIRECT_URI'After the server validates the authorization code, the endpoint returns the identity token, an access token, and a refresh token. The following is an example authorization validation response:
{
"access_token": "adg61...67Or9",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "rca7...lABoQ",
"id_token": "eyJra...96sZg"
}Use the refresh token to verify the user session from the server and obtain access tokens.
Validate an existing refresh token
When performing a validation request, you must include the following form data parameters:
client_idclient_secretgrant_typerefresh_token
The following is an example validation request URL using cURL:
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \
-d 'client_secret=CLIENT_SECRET' \
-d 'grant_type=refresh_token' \
-d 'refresh_token=REFRESH_TOKEN'After the server validates the refresh token, the endpoint returns the identity token and an access token. The following is an example refresh token validation response:
{
"access_token": "beg510...67Or9",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJra...96sZg"
}HTTP Body
The list of input parameters required for the server to validate the authorization code or refresh token.