The OAuth token endpoint for all access and refresh token requests. Ideally, the client should authenticate using HTTP Basic Authentication as described in the OAuth 2.0 RFC, though you can also POST the client_id and client_secret directly.

Authorization Grant: Once you've been granted an Authorization Code using our authorization end point (, you POST to the token endpoint with a grant_type=authorization_code&code={authorization_code}&redirect_uri={redirect_uri} (If not doing HTTP Basic Auth, you will have to also include the &client_id={client_id}&client_secret={client_secret}). The response will give you your access_token and refresh_token.

Refresh Token: The OAuth endpoint for obtaining a new access_token using an existing refresh_token. Access tokens expire after 7200 seconds (2 hours) and refresh tokens expire after 315360000 seconds (10 years). Post www-form-url-encoded data as follows: grant_type=refresh_token&refresh_token={refresh_token} (If not doing HTTP Basic Auth, you will have to also include the &client_id={client_id}&client_secret={client_secret}).

This token response, including both the access_token and refresh_token should be saved in your database according to your OAuth needs.


Post here to update an OAuth access_token using a refresh_token.
Get a response explaining which HTTP methods are supported


Property Description Type Constraints
grant_type The OAuth grant type being requested as used for Refresh Tokens and the Authorization Code Grant. String Required. refresh_token or authorization_code.
refresh_token The OAuth refresh token. This token is returned in the response whenever creating a client, user or store or when doing an authorization code grant. String Required for grant_type=refresh_token
code Authorization Code granted via the Authorization Code grant. String Required for grant_type=authorization_code
redirect_uri The redirect uri defined for this OAuth client. Used when doing Authorization Code grant and it must match what is stored for the OAuth client. String Required for grant_type=authorization_code
client_id The client_id for your FoxyCart client resource. String Required unless using HTTP Basic Auth
client_secret Although the OAuth 2.0 spec supports passing the client secret as a url param, it is much better to use HTTP Basic auth instead. String Required unless using HTTP Basic Auth

Example Representation

POST Response:


Zoomable Resources

This resource has no linked resources which can be "zoomed" in on, filtered and embedded within this resource.