LxBlog/Docs
Dashboard

Quick Start

3. Get Access Token

Get Access Token

Now that you have an authorization code from the previous step, exchange it for an access token and refresh token by calling the token endpoint.

Exchange the Authorization Code

POST/api/oauth/token

Exchange an authorization code for an access token and refresh token.

Send a POST request to the token endpoint with the authorization code and your client credentials:

curl
curl -X POST https://lxblog.app/api/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "AUTH_CODE",
    "redirect_uri": "https://yourapp.com/api/callback",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'
token-exchange.js
const response = await fetch('https://lxblog.app/api/oauth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: authorizationCode,
    redirect_uri: 'https://yourapp.com/api/callback',
    client_id: process.env.LXBLOG_CLIENT_ID,
    client_secret: process.env.LXBLOG_CLIENT_SECRET,
    // Include code_verifier if you used PKCE
    // code_verifier: storedCodeVerifier,
  }),
});

const data = await response.json();
console.log(data);

Token Response

On success, the token endpoint returns an access token, refresh token, and metadata about the authorized blog:

response.json
{
  "access_token": "lxb_at_xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "refresh_token": "lxb_rt_xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "articles:read blog:read",
  "blog": {
    "id": "blog_abc123",
    "name": "My Tech Blog",
    "slug": "my-tech-blog"
  }
}
  • access_token — use this in the Authorization header to make API requests. Expires after expires_in seconds (1 hour).
  • refresh_token — use this to obtain a new access token when the current one expires.
  • blog — the blog the user authorized your app to access.

Refreshing Tokens

Access tokens expire after one hour. Use the refresh token to obtain a new access token without requiring the user to re-authorize:

POST/api/oauth/token

Exchange a refresh token for a new access token and refresh token.

refresh-token.js
const response = await fetch('https://lxblog.app/api/oauth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    grant_type: 'refresh_token',
    refresh_token: storedRefreshToken,
    client_id: process.env.LXBLOG_CLIENT_ID,
    client_secret: process.env.LXBLOG_CLIENT_SECRET,
  }),
});

const data = await response.json();

// IMPORTANT: Store the new refresh token — the old one is now invalid
const newAccessToken = data.access_token;
const newRefreshToken = data.refresh_token;

Refresh tokens are rotated on every use. Always store the new refresh_token from the response, replacing the previous one. Using an old refresh token will revoke the entire connection as a security measure, and the user will need to re-authorize your app.

Previous
2. Authorization Flow
Next
4. Fetch Articles