Skip to main content
POST
/
auth
/
token
curl -X POST "https://api.tktchurch.com/v1/auth/token" \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "eyJhbGciOiJIUzI1NiIs..."
  }'

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 3600,
  "token_type": "bearer"
}
This endpoint handles various token-related operations including token refresh, token information retrieval, and social authentication through JWT tokens.

Request Body

grant_type
string
required
The type of token operation to perform:
  • refresh_token: Get new access token using refresh token
  • token_info: Get information about an access token
  • id_token: Authenticate with a social provider’s ID token
refresh_token
string
Required when grant_type is “refresh_token”. The refresh token to use for obtaining a new access token.
access_token
string
Required when grant_type is “token_info”. The access token to get information about.
id_token
string
Required when grant_type is “id_token”. The ID token from a social provider.

Response

access_token
string
JWT access token (for refresh_token and id_token grant types)
refresh_token
string
JWT refresh token (for refresh_token and id_token grant types)
expires_in
integer
Token expiration time in seconds (default: 3600)
token_type
string
Type of token (always “bearer”)
is_new_user
boolean
Only present for id_token grant type. Indicates if a new user was created.

Token Info Response

When using token_info grant type, the response includes:
sub
string
User ID associated with the token
scopes
array
List of permissions granted to the token.
exp
string
Token expiration timestamp
iat
string
Token issued at timestamp
user
object

Social Authentication Flow

When using id_token grant type, the endpoint:
  1. Token Verification:
    • Verifies the ID token signature using provider’s JWKS
    • Validates token claims (iss, aud, exp, iat)
    • Extracts user information from token payload
  2. Provider Validation:
    • Google tokens must be issued by https://accounts.google.com
    • Apple tokens must be issued by https://appleid.apple.com
    • Client ID validation against environment configuration
  3. Account Processing:
    • Checks for existing account with email
    • Link the account to the provider if it exists, ensuring the primary provider matches before establishing the connection.
    • Creates new account if email is new
    • Assigns default member role to new accounts

Error Responses

error
object
Error details when the request fails
Common error cases:
  • 400 Bad Request: Missing required fields or invalid grant type
  • 401 Unauthorized: Invalid/expired tokens or provider verification failed
  • 403 Forbidden: Provider not linked or insufficient permissions
curl -X POST "https://api.tktchurch.com/v1/auth/token" \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "eyJhbGciOiJIUzI1NiIs..."
  }'

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_in": 3600,
  "token_type": "bearer"
}