Step 3: Exchange authorization code with access token


The authorization code provided in the redirect URI can only be exchanged once and expires 10 minutes after issuance. You must exchange an authorization code with an access token or an access token/refresh token pair. You can then use the access_token to call API methods on behalf of the user.


See the Authorization model.

What's Next

After the access_token is received, the application is considered installed. The application appears in the 'installed apps' section of the team settings.

You can now use the access token for REST API requests.



  • Authentication endpoints are not being deprecated. These endpoints remain the same and use v1 in the endpoint URLs, as documented.

  • Our API is fully compatible with OAuth standards. Due to the current limitations of the portal, we've placed the parameters as query parameters so that you can try out the API. We recommend that you send the parameters in your request body, instead of query parameters, in your real-life implementation.

  • If you haven't enabled the [expire user authorization token feature]
    (, the token will continue functioning until the user uninstalls your app from the team. If you enabled the expire user authorization token feature, the access token expires in 1 hour and the refresh token expires in 60 days.

Click Try It! to start a request and see the response here!