Token endpoint (OAuth 2.1)

OAuth 2.1 token endpoint. Exchanges a single-use authorization code (5-minute TTL) for a Bifrost-issued access token (24-hour TTL) using PKCE verification.

The request body must be application/x-www-form-urlencoded.

The returned access_token is the Bearer token to use on subsequent /mcp requests. It carries the user's upstream service tokens (Notion, GitHub, etc.) linked to their identity (Virtual Key or User ID) from the consent flow.

Authentication is not required - this is part of the unauthenticated OAuth bootstrap flow.

POST
/api/oauth/per-user/token
AuthorizationBearer <token>

Bearer token authentication. Use your MPilot virtual-key JWT or admin JWT. Virtual keys (prefixed with sk-bf-) can also be passed here.

In: header

grant_typestring

Must be authorization_code

Value in"authorization_code"
codestring

Authorization code received in the redirect callback

redirect_uri?string

Must match the redirect_uri used in the authorize request (if provided)

client_id?string

Client ID (optional - code is already bound to the client)

code_verifierstring

PKCE code verifier - the raw secret whose SHA-256 matches the code_challenge

Response Body

curl -X POST "https://loading/{AI_GATEWAY_URL}/api/oauth/per-user/token" \  -H "Content-Type: application/x-www-form-urlencoded" \  -d 'grant_type=authorization_code&code=string&code_verifier=string'
{
  "access_token": "abc123xyz...",
  "token_type": "Bearer",
  "expires_in": 86400,
  "scope": "mcp:read mcp:write"
}
{
  "error": "invalid_grant",
  "error_description": "string"
}
"string"
{
  "error": "server_error",
  "error_description": "string"
}
On this page

On this page

No Headings