Redeem a pre-authorized-code for an access token
const url = 'https://example.com/oid4vci/token';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"grant_type":"urn:ietf:params:oauth:grant-type:pre-authorized_code","pre-authorized_code":"example","tx_code":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/oid4vci/token \ --header 'Content-Type: application/json' \ --data '{ "grant_type": "urn:ietf:params:oauth:grant-type:pre-authorized_code", "pre-authorized_code": "example", "tx_code": "example" }'Public and unauthenticated OID4VCI token endpoint for the pre-authorized-code grant. Accepts only grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code with a valid, unexpired, single-use pre-authorized_code. A matching tx_code is required when the credential offer includes a tx_code object. Mints a short-TTL Notary-signed access token plus a c_nonce. Returns 404 when the pre-authorized-code flow is disabled. Error responses use the OpenID4VCI error envelope, not RFC 9457 Problem Details.
Request Bodyrequired
Section titled “Request Bodyrequired”object
Example
urn:ietf:params:oauth:grant-type:pre-authorized_codeThe numeric PIN shown on the offer page. Required when the credential offer includes a tx_code object.
object
Example
urn:ietf:params:oauth:grant-type:pre-authorized_codeThe numeric PIN shown on the offer page. Required when the credential offer includes a tx_code object.
Responses
Section titled “Responses”Token response
object
Example
{ "access_token": "eyJhbGciOiJFZERTQSIsInR5cCI6InJlZ2lzdHJ5LW5vdGFyeS1hY2Nlc3MrancifQ.payload.signature", "c_nonce": "b64url-nonce", "c_nonce_expires_in": 300, "expires_in": 300, "token_type": "Bearer"}Invalid request, grant, or tx_code
object
Example
{ "error": "invalid_grant", "error_description": "pre-authorized code or tx_code is invalid"}Pre-authorized-code flow is disabled
Too many token attempts (wrong-PIN lockout or random-code flood)
object
Example
{ "error": "slow_down", "error_description": "too many token requests"}Token issuance failed
object
Example
{ "error": "server_error", "error_description": "token issuance failed"}