Create Access Token

Exchange a credential for an access token. Supports two grant types: - `authorization_code`: Exchange an authorization code for an access token (cross-org data sharing). - `client_credentials`: Exchange a signed JWT assertion (`private_key_jwt`) for a short-lived access token (machine-to-machine auth, RFC 7523).

Authentication

AuthorizationBearer

Bearer authentication of the form Bearer <token>, where token is your auth token.

Headers

Key-InflectionenumOptional
Determines casing for the API response.
Allowed values:
Idempotency-KeystringOptional
Ensures the request is idempotent.
Persona-VersionenumOptional
Server API version. More info on versioning can be found [here](https://docs.withpersona.com/versioning).

Request

This endpoint expects an object.
authorization_codeobjectRequired
Exchange an authorization code for an access token.
OR
client_credentialsobjectRequired

Exchange a signed JWT assertion for a short-lived access token. The JWT must be signed with the private key corresponding to the public key registered on the OAuth client. Note: parameter names follow OAuth RFC 6749/7523 conventions (snake_case) rather than the Persona API default (kebab-case).

Response headers

RateLimit-Limitinteger
The maximum number of requests permitted in the current rate limit window for the API key used to authenticate the request. Returned on every authenticated response.
RateLimit-Remaininginteger
The number of requests remaining in the current rate limit window for the API key used to authenticate the request. Returned on every authenticated response.
RateLimit-Resetinteger
The number of seconds until the current rate limit window resets. Returned on every authenticated response.
Request-Idstring

The unique identifier of the API log entry that recorded this request. Starts with req_. Include this value when reaching out to Persona support. Present on every authenticated response, including error responses.

Persona-Environment-Idstring
The token of the Persona environment that handled the request. Returned on every authenticated response, including most error responses.
Persona-Organization-Idstring
The token of the Persona organization that handled the request. Returned on every authenticated response, including most error responses.

Response

This endpoint returns an Access Token.
access-tokenstring
Access Token that can be used wherever an API Key would be used.
expires-inintegerDefaults to 0
Number of seconds until the access token expires.
scopestring

Space-separated list of granted permissions. Format varies by grant type: for client_credentials, bare permission names (e.g. inquiry.read account.read); for authorization_code, permission:object pairs (e.g. inquiry.read:inq_xxx). Empty string when no permissions are granted.

token-typeenum

Errors

400
Bad Request Error
401
Unauthorized Error
403
Forbidden Error
404
Not Found Error
409
Conflict Error
422
Unprocessable Entity Error
429
Too Many Requests Error