Skip to main content
POST
/
oauth
/
token
curl (runnable — unsigned leg)
curl -X POST https://phosra-api-sandbox-production.up.railway.app/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=sbxauth_QBmKueI14KzQj9PM-2M9naWGkh2OU6WL"
{
  "access_token": "sbxtok_8zc0PBmNAjyIs3p8B3Y2oxQW2csHHoy1",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "profiles"
}
Sandbox only. Hosted on the census host root (not /api/v1), gated on PHOSRA_ENV==sandbox404 elsewhere.
Exchanges an authorization code (any value carrying the sbxauth_ prefix, from GET /oauth/authorize) for an opaque bearer access token. Accepts application/x-www-form-urlencoded or JSON. A PKCE code_verifier is accepted and ignored. Stateless — tokens live one hour.

Worked example

Fully runnable — this leg is unsigned:
curl -X POST https://phosra-api-sandbox-production.up.railway.app/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=sbxauth_QBmKueI14KzQj9PM-2M9naWGkh2OU6WL"
Real 200 response (captured from the hosted sandbox):
{
  "access_token": "sbxtok_9xRWtUBLsk1omBYjWWe-20KbCxTO1Noh",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "profiles"
}
An unsupported grant_type returns 400 unsupported_grant_type; a code without the sbxauth_ prefix returns 400 invalid_grant. Present the sbxtok_… token to GET /oauth/profiles.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

grant_type
enum<string>
required
Available options:
authorization_code
code
string
required
Example:

"sbxauth_…"

Response

Access token issued.

SANDBOX-ONLY access token from POST /oauth/token. Source: internal/ocsshttp/handler_sandbox_oauth.go Token().

access_token
string
required

Opaque bearer ("sbxtok_…"). Present it to GET /oauth/profiles.

token_type
enum<string>
required

One of: Bearer.

Available options:
Bearer
expires_in
integer
required

Access-token lifetime in seconds (sandbox tokens live one hour).

Example:

3600

scope
string
required

Granted scope; the reference provider issues the single profiles scope.

Example:

"profiles"