ENSign In
Referencia APIOAuthToken

Token Endpoint

Issues access_token and refresh_token. Supports two grant types:

  • authorization_code: exchanges the authorization code for tokens. Requires code_verifier (PKCE).
  • refresh_token: exchanges a refresh token for a new token pair. Refresh tokens rotate on each use — store the new token immediately.

Rate limits: 60 req/min per IP; 30 req/min per client_id.

Confidential clients authenticate via HTTP Basic (Authorization: Basic BASE64(client_id:client_secret)) or body params. Public clients omit credentials.

POST
/oauth/token

Request Body

application/x-www-form-urlencoded

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

application/json

application/json

curl -X POST "https://api.whatalo.com/oauth/token" \  -H "Content-Type: application/x-www-form-urlencoded" \  -d 'grant_type=authorization_code'
{
  "access_token": "DlcGJFC7UmSx2fYKj7Bg3jhT9QgpyIzNcx7OGAoFu8U",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "LKr5XU5xyiD0XscBPSO9tm0DsSK2AKsWL2fOe9an6v8",
  "scope": "read:products read:orders"
}
{
  "error": "invalid_grant",
  "error_description": "Authorization code has expired or was already used"
}
{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}
{
  "error": "rate_limit_exceeded",
  "error_description": "Too many token requests. Retry after 30 seconds."
}