# Retrieving the Access Token

### Getting the code

If the user has accepted the link, we will redirect the flow to your `redirect_uri` URI with two query string parameters:

* `code`: You will need the code to make an API call to retrieve the access token.
* `state`(optional): The `state` params that you passed in the previous redirect (if any).

**Note**: if the user has denied the request, we will redirect to your `redirect_uri` URI with the error `access_denied`. The code has a short expiration time (\~ 1minute).

### Getting the access token

Now that you have a valid code, you can make a request to  `POST https://api.matrica.io/oauth2/token`with these params:

* `grant_type` : Must be set to `authorization_code`
* `code` : The code that you received.
* `redirect_uri` : The callback redirect URI originally requested.
* `client_id` : Your application ID.
* `client_secret` (optional): Only if your application is set to "Private".
* `code_verifier` : PKCE code verifier.

{% hint style="info" %}
Content-Type must be `application/x-www-form-urlencoded`
{% endhint %}

If everything matches up, the API call will respond with this JSON object:

```json
{
    "access_token": "qwertyuio123456",
    "token_type": "Bearer",
    "refresh_token": "qwertyuiopasdfghjk",
    "expires_in": 3600,
    "scope": "profile"
}            
```

You can use the `access_token` to make calls to the OAuth 2.0 APIs (see [here](https://docs.matrica.io/api-reference#user-data-requests)) and get the information you have access to (depending on the scopes).

### Refresh token

Store the `refresh_token` safely and use it to get a new `access_token` once it has expired by calling `POST https://api.matrica.io/oauth2/token` with these params:

* `refresh_token` : The refresh token.
* `grant_type` : Must be set to `refresh_token`.
* `client_id` : Your application ID.
* `client_secret` (optional): Only if your application is "Private".