Process Token Request
This API parses request parameters of an authorization request and returns necessary data for the authorization server implementation to process the authorization request further.
authlete token process [flags]
authlete token process --service-id <id> --parameters grant_type=authorization_code&code=Xv_su944auuBgc5mfUnxXayiiQU9Z4-T_Yae_UfExmo&redirect_uri=https%3A%2F%2Fmy-client.example.com%2Fcb1&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
--access-token string The representation of an access token that may be issued as a result of the Authlete API call.
--access-token-duration int The duration (in seconds) of the access token that may be issued as a result of the Authlete
API call.
When this request parameter holds a positive integer, it is used as the duration of the access
token in. In other cases, this request parameter is ignored.
--body string Request body as JSON (alternative to individual flags). Can also be provided via stdin.
--cimd-options string Options for [OAuth Client ID Metadata Document](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (CIMD).
These options allow per-request control over CIMD behavior, taking precedence over service-level configuration when provided.
--client-certificate string The client certificate from the MTLS of the token request from the client application.
--client-certificate-path stringArray The certificate path presented by the client during client authentication. These certificates are strings in PEM format.
--client-id Authorization The client ID extracted from Authorization header of the token request from the client application.
If the token endpoint of the authorization server implementation supports basic authentication as
a means of client authentication, and the request from the client application contained its client ID
in `Authorization` header, the value should be extracted and set to this parameter.
--client-secret Authorization The client secret extracted from Authorization header of the token request from the client application.
If the token endpoint of the authorization server implementation supports basic authentication as a means of
client authentication, and the request from the client application contained its client secret in `Authorization` header,
the value should be extracted and set to this parameter.
--dpop DPoP DPoP header presented by the client during the request to the token endpoint.
The header contains a signed JWT which includes the public key that is paired with the private key used to sign the JWT.
See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)
for details.
--dpop-nonce-required nonce The flag indicating whether to require the DPoP proof JWT to include the nonce claim. Even if
the service's `dpopNonceRequired` property is `false`, calling the `/auth/token` API with this
`dpopNonceRequired` parameter `true` will force the Authlete API to check whether the DPoP proof
JWT includes the expected `nonce` value.
-h, --help help for process
--htm DPoP HTTP method of the token request. This field is used to validate the DPoP header.
In normal cases, the value is `POST`. When this parameter is omitted, `POST` is used as the default value.
See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)
for details.
--htu DPoP URL of the token endpoint. This field is used to validate the DPoP header.
If this parameter is omitted, the `tokenEndpoint` property of the Service is used as the default value.
See [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)
for details.
-j, --jwt-at-claims string Additional claims that are added to the payload part of the JWT access token.
--oauth-client-attestation OAuth-Client-Attestation The value of the OAuth-Client-Attestation HTTP header, which is defined in the specification
of [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).
--oauth-client-attestation-pop OAuth-Client-Attestation-PoP The value of the OAuth-Client-Attestation-PoP HTTP header, which is defined in the specification
of [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/).
--parameters application/x-www-form-urlencoded OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server
implementation received from the client application.
The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from
the client application.
[required]
--properties string Extra properties to associate with an access token. See [Extra Properties](https://www.authlete.com/developers/definitive_guide/extra_properties/)
for details.
-r, --refresh-token-duration int The duration (in seconds) of the refresh token that may be issued as a result of the Authlete
API call.
When this request parameter holds a positive integer, it is used as the duration of the refresh
token in. In other cases, this request parameter is ignored.
-s, --service-id string A service ID. [required]
--agent-mode Enable structured errors and default TOON output for AI coding agents. Automatically enabled when a known agent environment is detected (CLAUDE_CODE, CURSOR_AGENT, etc.). Use --agent-mode=false to disable.
--bearer Authorization: Bearer <token> Authenticate every request with a **Service Access Token** or **Organization Token**.
Set the token value in the Authorization: Bearer <token> header.
**Service Access Token**: Scoped to a single service. Use when automating service-level configuration or runtime flows.
**Organization Token**: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.
Both token types are issued by the Authlete console or provisioning APIs.
--color string Control colored output: auto (color when output is a TTY), always, or never. Respects NO_COLOR and FORCE_COLOR env vars. (default "auto")
-d, --debug Log request and response diagnostics to stderr
--dry-run Preview the request that would be sent without executing it (output to stderr)
-H, --header stringArray Set a custom HTTP request header (format: "Key: Value"). Can be specified multiple times.
--include-headers Include HTTP response headers in the output
-q, --jq string Filter and transform output using a jq expression (e.g., '.name', '.items[] | .id')
--no-interactive Disable all interactive features (auto-prompting, explorer auto-launch, TUI forms)
-o, --output-format string Specify the output format. Options: pretty, json, yaml, table, toon. (default "pretty")
--server string Select a server by index (for indexed servers) or name (for named servers)
--server-url string Override the default server URL
--timeout string HTTP request timeout (e.g., 30s, 5m, 100ms)
--usage Print the CLI Usage schema in KDL format
- authlete token - Operations for token