> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flexslot.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth2 token endpoint (RFC 6749 §4.1.3 + §6)

> Exchanges an authorization code for an access + refresh token pair (``grant_type=authorization_code``) or rotates an existing refresh token (``grant_type=refresh_token``). Returns the RFC 6749 §5.1 JSON shape on success or the §5.2 error shape on failure.



## OpenAPI

````yaml /openapi.json post /api/public/v1/oauth/token
openapi: 3.0.3
info:
  title: Flexslot API
  version: 1.0.0
  description: API documentation for Flexslot decks application
servers:
  - url: https://api.flexslot.gg
    description: Production
  - url: https://api-dev.flexslot.gg
    description: Development
security: []
paths:
  /api/public/v1/oauth/token:
    post:
      tags:
        - OAuth2
      summary: OAuth2 token endpoint (RFC 6749 §4.1.3 + §6)
      description: >-
        Exchanges an authorization code for an access + refresh token pair
        (``grant_type=authorization_code``) or rotates an existing refresh token
        (``grant_type=refresh_token``). Returns the RFC 6749 §5.1 JSON shape on
        success or the §5.2 error shape on failure.
      operationId: oauth2_token
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/OAuth2TokenRequestRequest'
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuth2TokenResponse'
          description: ''
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuth2TokenError400'
          description: RFC 6749 §5.2 error.
        '401':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuth2TokenError401'
          description: RFC 6749 §5.2 invalid_client error.
      security:
        - {}
components:
  schemas:
    OAuth2TokenRequestRequest:
      type: object
      properties:
        grant_type:
          type: string
          minLength: 1
          description: '''authorization_code'' or ''refresh_token''.'
        code:
          type: string
          minLength: 1
          description: Authorization-code grant only.
        redirect_uri:
          type: string
          minLength: 1
          description: Authorization-code grant only.
        code_verifier:
          type: string
          minLength: 1
          description: Authorization-code grant only (PKCE).
        refresh_token:
          type: string
          minLength: 1
          description: Refresh-token grant only.
        scope:
          type: string
          minLength: 1
          description: Optional refresh-token scope narrowing.
        client_id:
          type: string
          minLength: 1
          description: When not using HTTP Basic.
        client_secret:
          type: string
          minLength: 1
          description: Confidential client only.
      required:
        - grant_type
    OAuth2TokenResponse:
      type: object
      properties:
        access_token:
          type: string
        token_type:
          type: string
        expires_in:
          type: integer
        refresh_token:
          type: string
        scope:
          type: string
      required:
        - access_token
        - expires_in
        - refresh_token
        - scope
        - token_type
    OAuth2TokenError400:
      type: object
      properties:
        error:
          type: string
        error_description:
          type: string
      required:
        - error
        - error_description
    OAuth2TokenError401:
      type: object
      properties:
        error:
          type: string
        error_description:
          type: string
      required:
        - error
        - error_description

````