Step 3: Exchange authorization code with access token


The authorization code provided in the redirect URI can only be exchanged once and expires 10 minutes after issuance. You must exchange an authorization code with an access token or an access token/refresh token pair. You can then use the access_token to call API methods on behalf of the user.


See the Authorization model.

What's Next

After the access_token is received, the application is considered installed. The application appears in the 'installed apps' section of the team settings.

You can now use the access token for REST API requests.



  1. Authentication endpoints are not being deprecated. These endpoints remain the same and use v1 in the endpoint URLs, as documented.

  2. If you haven't enabled the expire user authorization token feature, the token will continue functioning until the user uninstalls your app from the team. If you enabled the expire user authorization token feature, the access token expires in 1 hour and the refresh token expires in 60 days.

Click Try It! to start a request and see the response here!