> ## Documentation Index
> Fetch the complete documentation index at: https://tabillo.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange Token

> Exchange an authorization code for access + refresh tokens, or exchange a refresh token for a new access token.




## OpenAPI

````yaml POST /oauth/token
openapi: 3.1.0
info:
  title: Tabillo API
  version: 1.0.0
  description: >
    External REST API for Tabillo workspaces. Authenticate using an API key
    generated in Settings → API Keys (admin only).
  contact:
    email: support@tabillo.com
servers:
  - url: https://crossproductroadmapbackend.vercel.app/api/v1
    description: Production
security:
  - ApiKeyAuth: []
  - OAuthBearer: []
paths:
  /oauth/token:
    post:
      tags:
        - OAuth
      summary: Exchange Code or Refresh Token
      description: >
        Exchange an authorization code for access + refresh tokens, or exchange
        a refresh token for a new access token.
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - grant_type
              properties:
                grant_type:
                  type: string
                  enum:
                    - authorization_code
                    - refresh_token
                code:
                  type: string
                  description: Required for authorization_code grant
                redirect_uri:
                  type: string
                  description: Required for authorization_code grant
                refresh_token:
                  type: string
                  description: Required for refresh_token grant
                client_id:
                  type: string
                client_secret:
                  type: string
                code_verifier:
                  type: string
                  description: PKCE code verifier (required if code_challenge was sent)
      responses:
        '200':
          description: Token response
          content:
            application/json:
              schema:
                type: object
                properties:
                  access_token:
                    type: string
                    example: tabt_abc123...
                  refresh_token:
                    type: string
                    example: tabr_xyz789...
                  token_type:
                    type: string
                    example: Bearer
                  expires_in:
                    type: integer
                    example: 3600
                  scope:
                    type: string
                    example: read write
      security: []
components:
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      bearerFormat: tab_<32 alphanumeric chars>
      description: >
        Generate an API key in your workspace Settings → API Keys. Pass it as
        `Authorization: Bearer tab_<key>` on every request.
    OAuthBearer:
      type: http
      scheme: bearer
      bearerFormat: tabt_<32 alphanumeric chars>
      description: >
        OAuth 2.0 access token obtained via the Authorization Code flow. Pass it
        as `Authorization: Bearer tabt_<token>` on every request. Tokens expire
        after 1 hour; use the refresh token to obtain a new one.

````