• Register

Token Endpoint

The endpoint for requesting access tokens by each client (in exchange for an authorization grant, e.g. code or refresh token)


POST https://.../oauth/token

Header Attributes:

  • Authorization: credentials of the client identified by the client_id. Basic scheme to be used, where the value is a Base64 encoded string consisting of: {client_id}:{client_secret}
  • Content-Type: application/x-www-form-urlencoded

Body Parameters (note that parameters sent as query parameters are not accepted by the OA2 server):

  • grant_type: Used grant type, e.g. authorization_code (for authorization code flow) or refresh_token (for refresh token flow)
  • client_id: A unique identification of the client application (package key), which is assigned during application registration. The value must be equal to the one provided in the authorization request. (Not required for grant_type=refresh_token.)
  • redirect_uri: A URI that will be called after the authentication and the authorization steps are done. The value must be equal to the one provided in the authorization request. (Not required for grant_type=refresh_token.)
  • code: The authorization code as received from the Authorization Endpoint. (Not required for grant_type=refresh_token.)
  • refresh_token: The refresh token as received from a previous token call. (Only required for grant_type=refresh_token.)
  • code_verifier: the PKCE code verifier that corresponds to the code_challenge of the previous authorize call, according to RFC7636. (Not required for grant_type=refresh_token.)

Note: The "userLang" used to call the backend systems is taken from out of the client "Accept-Language"-Header.


Code Description Content-Type Schema
200 The OAuth2 server accepted the request and generated an Access Token (and possibly a Refresh Token). application/json Token Response
The OAuth2 server rejected the request and generated an Error Response. application/json Error Response

Token Response

Field Description
access_token The access token to be used for further backend calls
token_type The token type e.g. bearer
refresh_token The refresh token to refresh the sessions
expires_in The time until the access_token expires (in seconds)
scope The scopes the access_token can be used for

Error Response (Example)

Code snippet: Json
  "error_description": "The grant type is not supported for the given client_id.",
  "error": "unsupported_grant_type"
Field Description

The description what the reason of the error was

error The error code e.g. unsupported_grant_type
Error Description
unsupported_grant_type If the grant type is not support for a client id
service_unavailable If the maintenance mode is active
invalid_request If parameter has not been applied correctly
invalid_grant If an error occurred during the mashery call
invalid_client If an error occurred during the mashery call



Code snippet: Example request
POST https://oauth-test.lufthansa.com/lhcrew/oauth/token?grant_type=authorization_code


Code snippet: Example response
  "access_token": "adsfasdfaddsfnbwert345124",
  "token_type": "bearer",
  "refresh_token": "1324jrasv0q143k5rjasd09q4",
  "expires_in": 3599,
  "scope": "https://cms.fra.dlh.de/publicCrewApi"

Docs Navigation