Reference token leg — code → access token (sandbox)
SANDBOX-ONLY. Exchanges an authorization code (any value carrying the sbxauth_ prefix) for an opaque bearer access token. Accepts application/x-www-form-urlencoded or JSON; PKCE code_verifier is accepted and ignored. Stateless. Gated on the Restricted band. Source: internal/ocsshttp/handler_sandbox_oauth.go Token().
/api/v1), gated on
PHOSRA_ENV==sandbox — 404 elsewhere.sbxauth_ prefix, from
GET /oauth/authorize) for an opaque bearer
access token. Accepts application/x-www-form-urlencoded or JSON. A PKCE code_verifier is
accepted and ignored. Stateless — tokens live one hour.
Worked example
Fully runnable — this leg is unsigned:200 response (captured from the hosted sandbox):
grant_type returns 400 unsupported_grant_type; a code without the
sbxauth_ prefix returns 400 invalid_grant. Present the sbxtok_… token to
GET /oauth/profiles.Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
Response
Access token issued.
SANDBOX-ONLY access token from POST /oauth/token. Source: internal/ocsshttp/handler_sandbox_oauth.go Token().
Opaque bearer ("sbxtok_…"). Present it to GET /oauth/profiles.
One of: Bearer.
Bearer Access-token lifetime in seconds (sandbox tokens live one hour).
3600
Granted scope; the reference provider issues the single profiles scope.
"profiles"