Skip to main content
POST
/
v1
/
regions
/
global
/
auth
/
token
Mint access token
const options = {
  method: 'POST',
  headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'},
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: '<string>',
    redirect_uri: '<string>',
    scope_narrowing: {scope: 'organization', scopeId: 'proj-abc123', roles: ['member']}
  })
};

fetch('https://api.k0rdent.ai/v1/regions/global/auth/token', options)
  .then(res => res.json())
  .then(res => console.log(res))
  .catch(err => console.error(err));
{
  "access_token": "<string>",
  "token_type": "Bearer",
  "expires_in": 900,
  "refresh_token": "<string>"
}

Authorizations

Authorization
string
header
required

Bearer token authentication using OAuth2/OIDC tokens

Body

application/json
grant_type
enum<string>
required
Available options:
authorization_code
code
string
required

Authorization code from the OAuth2 /authorize flow.

redirect_uri
string<uri>
required

Redirect URI that was used in the authorization request. Must match exactly.

scope_narrowing
object

Optional scope narrowing for the minted token. When provided, the issued JWT will have a narrower scope and/or fewer roles than the credential's effective privileges. The requested scope must be at or below the credential's scope level in the hierarchy (org > project), and the requested roles must be a subset of the effective roles.

Response

Token successfully minted.

access_token
string
required

Self-contained JWT access token. Contains claims for sub, iss, aud, exp, iat, jti, tenant_id, scope, scope_id, roles, and principal_type.

token_type
enum<string>
required

Token type. Always "Bearer".

Available options:
Bearer
expires_in
integer
required

Token lifetime in seconds.

Example:

900

refresh_token
string

Refresh token for obtaining new access tokens without re-authentication. Only issued for the authorization_code grant type. Not issued for api_key or client_credentials grants.