> For the complete documentation index, see [llms.txt](https://docs.healthsherpa.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.healthsherpa.com/on-exchange-api-documentation/api-reference/intake-form-api/authentication-flow-for-intake-api/post-token.md).

# POST Token

Issue an access token

## Token endpoint (authorization code or refresh token)

> Issues or refreshes access tokens. \`application/x-www-form-urlencoded\` is the standard encoding; \`application/json\` with the same field names is also accepted.<br>

```json
{"openapi":"3.0.3","info":{"title":"HealthSherpa OAuth Authorization","version":"1.0.0"},"tags":[{"name":"POST token","description":"Issue an access token"}],"servers":[{"url":"https://healthsherpa.com/oauth","description":"Production environment"},{"url":"https://staging.healthsherpa.com/oauth","description":"Staging environment"}],"paths":{"/token":{"post":{"summary":"Token endpoint (authorization code or refresh token)","description":"Issues or refreshes access tokens. `application/x-www-form-urlencoded` is the standard encoding; `application/json` with the same field names is also accepted.\n","operationId":"oauthTokenCreate","tags":["POST token"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthTokenRequest"}},"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/OAuthTokenRequest"}}}},"responses":{"200":{"$ref":"#/components/responses/OAuthTokenSuccess"},"400":{"description":"Invalid grant, unsupported grant type, or validation error. User must be logged in to get the initial access token based on authorization_code.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponseBody"}}}},"401":{"description":"Client authentication failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponseBody"}}}},"429":{"description":"Too many requests to OAuth authorization endpoints. Limit is 500 requests per minute (combined across authorization-related traffic when rate limiting applies).","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RateLimitError"}}}}}}}},"components":{"schemas":{"OAuthTokenRequest":{"oneOf":[{"$ref":"#/components/schemas/OAuthAuthorizationCodeTokenRequest"},{"$ref":"#/components/schemas/OAuthRefreshTokenRequest"}],"discriminator":{"propertyName":"grant_type","mapping":{"authorization_code":"#/components/schemas/OAuthAuthorizationCodeTokenRequest","refresh_token":"#/components/schemas/OAuthRefreshTokenRequest"}},"description":"Token request for either supported grant type."},"OAuthAuthorizationCodeTokenRequest":{"type":"object","required":["grant_type","code","redirect_uri","client_id","client_secret"],"properties":{"grant_type":{"type":"string","enum":["authorization_code"],"description":"Use `authorization_code` for the initial exchange."},"code":{"type":"string","description":"Authorization code from `GET /authorize` callback."},"redirect_uri":{"type":"string","description":"Same redirect URI used in the authorize request."},"client_id":{"type":"string","description":"OAuth client id (public UID)."},"client_secret":{"type":"string","description":"OAuth client secret for confidential clients."}}},"OAuthRefreshTokenRequest":{"type":"object","required":["grant_type","refresh_token","redirect_uri","client_id","client_secret"],"properties":{"grant_type":{"type":"string","enum":["refresh_token"],"description":"Use `refresh_token` to rotate access."},"refresh_token":{"type":"string","description":"Issued refresh token."},"redirect_uri":{"type":"string","description":"Same redirect URI associated with the client."},"client_id":{"type":"string","description":"OAuth client id (public UID)."},"client_secret":{"type":"string","description":"OAuth client secret for confidential clients."}}},"OAuthAccessTokenSuccessResponse":{"type":"object","required":["access_token","token_type","expires_in","refresh_token","scope","created_at"],"properties":{"access_token":{"type":"string","description":"Bearer access token to use in the Intake Form API authorization header."},"token_type":{"type":"string","description":"Token type; value is `Bearer`."},"expires_in":{"type":"integer","description":"Lifetime of the access token in seconds from issuance."},"refresh_token":{"type":"string","description":"Token used to issue a new access token without going through the authorize process again. Refresh tokens do not expire until the new access token it granted is used."},"scope":{"type":"string","description":"Granted scope string."},"created_at":{"type":"integer","description":"Unix timestamp when the token was created."}}},"OAuth2ErrorResponseBody":{"type":"object","required":["error"],"properties":{"error":{"type":"string","description":"OAuth 2.0 error code."},"error_description":{"type":"string","description":"Human-readable error description."}}},"RateLimitError":{"type":"object","required":["message","error","retry_after"],"properties":{"message":{"type":"string","description":"Human-readable explanation of the throttle."},"error":{"type":"string","description":"Machine-readable error type for rate limiting.","enum":["rate_limit_exceeded"]},"retry_after":{"type":"integer","description":"Suggested wait time in seconds before sending more traffic."}}}},"responses":{"OAuthTokenSuccess":{"description":"Access token response from the token endpoint.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthAccessTokenSuccessResponse"}}}}}}}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.healthsherpa.com/on-exchange-api-documentation/api-reference/intake-form-api/authentication-flow-for-intake-api/post-token.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
