Token endpoint (OAuth 2.1)
OAuth 2.1 token endpoint. Exchanges a single-use authorization code (5-minute TTL) for a Bifrost-issued access token (24-hour TTL) using PKCE verification.
The request body must be application/x-www-form-urlencoded.
The returned access_token is the Bearer token to use on subsequent /mcp requests.
It carries the user's upstream service tokens (Notion, GitHub, etc.) linked to their
identity (Virtual Key or User ID) from the consent flow.
Authentication is not required - this is part of the unauthenticated OAuth bootstrap flow.
Bearer token authentication. Use your MPilot virtual-key JWT or admin JWT.
Virtual keys (prefixed with sk-bf-) can also be passed here.
In: header
Must be authorization_code
"authorization_code"Authorization code received in the redirect callback
Must match the redirect_uri used in the authorize request (if provided)
Client ID (optional - code is already bound to the client)
PKCE code verifier - the raw secret whose SHA-256 matches the code_challenge
Response Body
curl -X POST "https://loading/{AI_GATEWAY_URL}/api/oauth/per-user/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'grant_type=authorization_code&code=string&code_verifier=string'{
"access_token": "abc123xyz...",
"token_type": "Bearer",
"expires_in": 86400,
"scope": "mcp:read mcp:write"
}{
"error": "invalid_grant",
"error_description": "string"
}"string"{
"error": "server_error",
"error_description": "string"
}