Token

Exchange an authorization code for tokens, or refresh an expired access token.

POST/oauth-token

These endpoints are used by third-party OAuth integrations (such as Zapier). If you are building a direct server integration, use an API key instead.

Try it

POST

API Key (stored locally in your browser only)

Create an API key in your workspace under Settings → Integrations & API.

Used in two situations:

Exchange an authorization code for an access_token + refresh_token
Refresh an expired access token using a refresh_token

Accepts either application/x-www-form-urlencoded or application/json.

Exchange authorization code

Body

Name	Type	Description
`grant_type`required	string	Must be `authorization_code`.
`code`required	string	The code received on the redirect.
`redirect_uri`required	string	Must match the redirect_uri used in /oauth-authorize.
`client_id`required	string	Your OAuth client ID.
`client_secret`required	string	Your OAuth client secret.
`code_verifier`	string	Required if a PKCE `code_challenge` was sent on /oauth-authorize. Verified using SHA‑256 (S256).

bash

curl -X POST 'https://api.wundertreos.com/functions/v1/oauth-token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=authorization_code' \
  -d 'code=8f3c2a1d9e7b4f6a5c2d1e0f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b' \
  -d 'redirect_uri=https://your-app.com/callback' \
  -d 'client_id=your_client' \
  -d 'client_secret=your_secret'

Refresh an access token

Each refresh rotates the refresh token — the old one is revoked and a new one is returned alongside the new access token.

Body

Name	Type	Description
`grant_type`required	string	Must be `refresh_token`.
`refresh_token`required	string	The refresh token from a prior exchange.
`client_id`required	string	Your OAuth client ID.
`client_secret`required	string	Your OAuth client secret.

Response

json

{
  "access_token": "8f3c2a1d9e7b4f6a5c2d1e0f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "1d3e5c7f9a1d3e5c7f9a1d3e5c7f9a1d3e5c7f9a1d3e5c7f9a1d3e5c7f9a1d3e",
  "scope": "contacts:read contacts:write webhooks:write"
}

expires_in is always 3600 (1 hour).

Errors

Status	`error`	When
400	`invalid_request`	Missing `grant_type`, `code`, `redirect_uri`, or `refresh_token`.
400	`invalid_grant`	Code or refresh token is unknown, expired, already used, or was issued to a different client. PKCE verifier mismatch.
400	`unsupported_grant_type`	`grant_type` is neither `authorization_code` nor `refresh_token`.
401	`invalid_client`	Missing or wrong `client_id` / `client_secret`.

PreviousAuthorize Next Revoke