Token exchange - Freedom Pay

When a user consents to provide the requested access rights, Freedom ID redirects the user to the specified redirect_uri with an appended authorization_code parameter.

This one-time code must be exchanged for an access_token and refresh_token for subsequent operations.

If the transferred revoke_uri is not empty, it can be called by the FreedomID side after the end of the user's main session.
This is necessary so that the user has the opportunity to recall all sessions on the partner side after logging out of the FreedomID personal account.
When calling this URL, the POST method is used, the following structure is transferred in the request body:

{
    "id": "{TOKEN_ID}"
}

The partner makes a decision on his side and can revoke the session that was opened within the framework of this token.

Request

Authorization

Send your HTTP requests with an

Authorization

header that contains the word Basic followed by a space and a base64-encoded string username:password

Example:

Authorization: Basic *****************

Body Params application/json

authorization_code

string

required

Authorization code received after the successful user authentication.

revoke_uri

string <URL>

optional

Callback link after access token is revoked.

Example

{
    "authorization_code": "your_authorization_code",
    "revoke_uri": "https://example.com/revoke-user-session"
}

Request samples

Shell

JavaScript

Java

Swift

PHP

Python

HTTP

Objective-C

Ruby

OCaml

Dart

Responses

🟢200Success

application/json

Body

string <uuid>

required

Access token unique identifier (UUID)

access_token

string <[a-zA-Z0-9]{128}>

required

Access token used for authentication in requests to protected resources. The token is valid for 7 days from the request date. In subsequent requests in FID, this field is referred to as client_access_token.

refresh_token

string <[a-zA-Z0-9]{128}>

required

Refresh token used to obtain a new access token. The token is valid for 1 month from the request date.

access_expire_at

string <Datetime:ISO-8601>

required

Expiration time of the access token

refresh_expire_at

string <Datetime:ISO-8601>

required

Expiration time of the refresh token

Example

{
    "id": "01953bce-e652-702c-a706-c389e30ebc01",
    "access_token": "RTtW2Q2EU2zKl8PdBFZIjQZzo3ZuUaClyxZasDjnlPWV4tcQVHJlN5stG4LMjC6Vg6VcBGi9ajUfLWRYn4AVR07fwmkbdi0JbGG39UFFeuS4QXsO4ZU5SdUKBNmzeuV9",
    "refresh_token": "vOrJ9DgKXiBgTkeh1zVZKMsE1Qo8TNJCNo7DTDD3tjvqiMAaP4qbEdNDz34fiUEVkoVSJKMPOjWEVPXOhKeAEPTgbWBYOjur0Qlid2XhwqGMqVrkUN5LHCZIPnaLUzeO",
    "access_expire_at": "2025-03-04T06:32:50.000000Z",
    "refresh_expire_at": "2025-03-25T06:32:50.000000Z"
}