Skip to main content
European CommissionEBSI European Blockchain
Get Help
Select the Environment you want to work withEnvironment:

Token endpoint

Last updated on 
POST 
/conformance/v3/auth-mock/token

The client proceeds with the code flow by calling the Token Endpoint with the required details. The client_assertion JWT must be signed using the client's private key, with the corresponding public key available through the jwks_uri parameter or included in the Client Metadata provided during the pre-registration step.

Request

Body
    grant_type Grant Typerequired

    Possible values: [authorization_code, urn:ietf:params:oauth:grant-type:pre-authorized_code]

    MUST have the value 

    authorization_code
    or 
    urn:ietf:params:oauth:grant-type:pre-authorized_code

    client_id URL

    REQUIRED when 

    grant_type
    is 
    authorization_code
    .

    OAuth 2.0 Client Identifier valid at the Authorisation Server.

    Verifiable Accreditation Issuance: MUST be URL of the issuer requesting the accreditation that was registered with the Accreditation Issuer

    code Authorisation Code

    REQUIRED when 

    grant_type
    is 
    authorization_code
    .

    An opaque value that can be used to redeem tokens from the token endpoint.

    code
    is returned if the 
    response_type
    includes 
    code
    . The code has a lifetime of 300 seconds. It MUST match the value from the authentication response.

    client_assertion_type Client Assertion Type

    The format of the assertion as defined by the Authorisation Server. The value will be an absolute URI.

    code_verifier Code Verifier

    Wallet generated secure random token, used to validate the original 

    code_challenge
    provided in initial Authorisation Request.

    pre-authorized_code Pre-authorized code

    CONDITIONAL. The code representing the authorization to obtain Credentials of a certain type. This parameter is required if the 

    grant_type
    is 
    urn:ietf:params:oauth:grant-type:pre-authorized_code
    . In WCT v3 Holder wallet tests, the code corresponds to the string concatenation of the last 4 bytes (modulo 10) of the sha256 hash of the user DID. Example: the code corresponding to the DID 
    did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9KbsDbVZXdb3jzCagESyY4EE2x7Yjx3gNwctoEuRCKKDrdNP3HPFtG8RTvBiYStT5ghBHhHizH2Dy6xQtW3Pd2SecizL9b2jzDCMr7Ka5cRAWZFwvqwAtwTT7xet769y9ERh6
    is "5910".

    user_pin User PIN

    OPTIONAL. String value containing a user PIN. This value MUST be present if 

    user_pin_required
    was set to 
    true
    in the Credential Offer. The string value MUST consist of maximum 8 numeric characters (the numbers 0 - 9). This parameter MUST only be used if the 
    grant_type
    is 
    urn:ietf:params:oauth:grant-type:pre-authorized_code
    .

Responses

OK

Schema
    access_token JWSrequired

    The access token issued by the Authorisation Server.

    The Access Token MUST be signed by the Authorisation Server.

    id_token JWSrequired

    The ID token issued by the Authorisation Server.

    token_type Token Typerequired

    Possible values: [bearer]

    The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes).

    expires_in Expires inrequired

    The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

    Lifetime must be 86400 seconds.

    c_nonce Challenge Noncerequired

    JSON string containing a nonce to be used to create a proof of possession of key material when requesting a Credential (see Section 7.2 of OpenID for VCI). When received, the Wallet MUST use this nonce value for its subsequent credential requests until the Credential Issuer provides a fresh nonce.

    c_nonce_expires_in Challenge Nonce expires inrequired

    The lifetime in seconds of the c_nonce token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

Loading...