> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sdk.anghami.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ExchangeToken

> ExchangeToken exchanges an authorization code for access and refresh tokens.
 Uses the OAuth 2.0 Authorization Code + PKCE flow.



## OpenAPI

````yaml /api/anghami-sdk.openapi.yaml post /v1/auth/token
openapi: 3.1.0
info:
  title: Anghami + OSN+ SDK
  description: >-
    Unified OpenAPI bundle covering all Anghami + OSN+ SDK services (music +
    video streaming).
  contact:
    name: Anghami Developer Platform
    email: developers@anghami.com
  version: 1.0.0
servers:
  - url: https://sdk.anghami.com
security: []
paths:
  /v1/auth/token:
    post:
      tags:
        - AuthService
      summary: ExchangeToken
      description: >-
        ExchangeToken exchanges an authorization code for access and refresh
        tokens.
         Uses the OAuth 2.0 Authorization Code + PKCE flow.
      operationId: ExchangeToken
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/sdk_auth_v1_ExchangeTokenRequest'
        required: true
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/sdk_auth_v1_ExchangeTokenResponse'
        '400':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
        default:
          description: Error response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
components:
  schemas:
    sdk_auth_v1_ExchangeTokenRequest:
      type: object
      properties:
        code:
          type: string
          description: >-
            The authorization code received from the authorization server
            callback.
        redirectUri:
          type: string
          format: uri
          description: |-
            The redirect URI that was used in the authorization request.
             Must match the URI registered for the client application.
        clientId:
          type: string
          description: The client application identifier.
        codeVerifier:
          type: string
          maxLength: 128
          minLength: 43
          description: |-
            The PKCE code verifier corresponding to the code_challenge
             sent in the authorization request. Must be 43-128 characters per RFC 7636.
      required:
        - code
        - redirectUri
        - clientId
        - codeVerifier
      description: >-
        ExchangeTokenRequest is the request message for exchanging an
        authorization code
         for an access token using the OAuth 2.0 Authorization Code + PKCE flow.
    sdk_auth_v1_ExchangeTokenResponse:
      type: object
      properties:
        token:
          $ref: '#/components/schemas/sdk_auth_v1_TokenInfo'
      description: >-
        ExchangeTokenResponse is the response message containing the issued
        tokens.
    ValidationError:
      type: object
      properties:
        violations:
          type: array
          items:
            $ref: '#/components/schemas/FieldViolation'
          description: List of validation violations
      required:
        - violations
      description: >-
        ValidationError is returned when request validation fails. It contains a
        list of field violations describing what went wrong.
    Error:
      type: object
      properties:
        message:
          type: string
          description: Error message (e.g., 'user not found', 'database connection failed')
      description: >-
        Error is returned when a handler encounters an error. It contains a
        simple error message that the developer can customize.
    sdk_auth_v1_TokenInfo:
      type: object
      properties:
        accessToken:
          type: string
          description: The access token string for authenticating API requests.
        tokenType:
          type: string
          description: The token type. Always "Bearer".
        expiresIn:
          type: integer
          format: int32
          description: Number of seconds until the access token expires.
        refreshToken:
          type: string
          description: |-
            The refresh token for obtaining new access tokens.
             Only present in the initial token exchange response.
        scopes:
          type: array
          items:
            type: string
            enum:
              - AUTH_SCOPE_UNSPECIFIED
              - AUTH_SCOPE_READ
              - AUTH_SCOPE_STREAM
            description: >-
              AuthScope enumerates the broad permission scopes available for
              OAuth access tokens.
               Scopes are requested during the authorization flow and determine what operations
               the access token can perform.
      description: |-
        TokenInfo contains the OAuth 2.0 token response fields.
         Returned by ExchangeToken and RefreshToken RPCs.
    FieldViolation:
      type: object
      properties:
        field:
          type: string
          description: >-
            The field path that failed validation (e.g., 'user.email' for nested
            fields). For header validation, this will be the header name (e.g.,
            'X-API-Key')
        description:
          type: string
          description: >-
            Human-readable description of the validation violation (e.g., 'must
            be a valid email address', 'required field missing')
      required:
        - field
        - description
      description: FieldViolation describes a single validation error for a specific field.

````