Get an Access Token.

Unless otherwise noted, this method must be called before any any other web service function, as the Authorization header value is required to call most methods.
A successful transaction will receive a 200 status code.

POST /Token
{
"grant_type": "client_credentials",
"client_id": "{email/username}",
"client_secret": "{password}"
}

POST /Token
{
"grant_type": "refresh_token",
"refresh_token": "{refresh token}",
}

POST /Token
{
"grant_type": "authorization_code",
"code": "{authorization code}",
"resource_type": "{resource type}"
}

POST /Token { "mfa_method": "Email or Auth", "mfa_token": "{mfa token from challenge endpoint}", "user_token": "{user token from challenge}", "otp":"{otp received within email}", "grant_type":"mfa_otp" } POST /Token { "grant_type": "authorization_code", "code": " Access Token from okta ", "resource_type": "okta" } HTTP Status Code 400 Error Codes (error property): InvalidGrantType - Invalid grant type.

InvalidResourceType - Invalid resource type.

InvalidRequest - The request is invalid.

IdTokenInvalid - Invalid id token.

HTTP Status Code 401 Error Codes (error property):

InvalidCredentials - Invalid credentials.

AccountUnverified - User account has not been verified.

IpRestriction - User's location is restricted by IP address. The IP address of the user's current location is invalid.

PasswordExpired - Password expired. The user must change their password.

AccountDisabled - Account is disabled.

AccountLockedOut - Too many invalid login attempts. The account has been disabled.

RefreshTokenInvalid - Invalid refresh token or expired.

IdTokenInvalid - Invalid id token.

MFARequired - MFA Required. To MFA via email, call the /token/challenge (POST) endpoint to continue.
To MFA via Authenticator app, call this endpoint again (MFA Example above).