Exchange an authorization code

An access_token is valid for one hour. You can use the /oauth/token operation to request a new one in order to keep a user authenticated for the length of your site or application’s session.

If you pass the value code in the response_type parameter, an authorization code will be returned upon successful login or registration. The authorization code must then be passed to a server and exchanged for an access token and refresh token.

$api_call= '/oauth/token';
$params= array(
    'client_id'=> JANRAIN_LOGIN_CLIENT_ID,
    'client_secret'=> JANRAIN_LOGIN_CLIENT_SECRET,
    'redirect_uri'=> 'https://localhost'
    'grant_type'=> 'authorization_code',
    // authorization code from user login/registration
    'code'=> $_POST['authorization_code']
$curl= curl_init();
$api_response= json_decode(curl_exec($curl));
ResponseOutcome / Next Step
Success (ok)Access token and refresh token are returned.

These tokens must be stored in the server session and refreshed as needed using the /oauth/token operation.

When a user interacting with the site or app attempts an action that requires an access token (e.g. save profile), a server-side script can be called to generate a new valid access token and pass it back to re-attempt the action.