---
descriptions:
  workos_connect_token_request:
    client_id: |
      The client ID of the WorkOS Connect Application.
    client_secret: |
      A secret key associated with the WorkOS Connect Application.
  workos_connect_token_response:
    access_token: |
      A JWT that can be used to authorize requests.
    expires_in: |
      The number of seconds until the access token expires.
    id_token: |
      A JWT that contains information about the user.
    refresh_token: >
      An opaque token that can be exchanged for new access, ID, and refresh
      tokens.
    token_type: >
      How to use the access token to authorize requests. Currently, this is
      always `"bearer"`, which means it should be included in the
      `Authorization` header of requests, e.g. `Authorization: Bearer <access
      token>`.
originalPath: >-
  .tmp-workos-clone/packages/docs/content/reference/workos-connect/token/index.mdx
---

# Token

This endpoint is called by WorkOS Connect Applications to get access tokens, ID tokens, and refresh tokens, depending on the `grant_type` provided when requested.

This endpoint is authenticated by providing the WorkOS Application's client ID and client secret in the body of the request.

There are four grant types available:

- [Authorization code](/reference/workos-connect/token/authorization-code-grant)
- [Refresh token](/reference/workos-connect/token/refresh-token-grant)
- [Client credentials](/reference/workos-connect/token/client-credentials-grant)
- [Device code](/reference/workos-connect/cli-auth/device-code-grant)

Each is described in greater detail below.