Get Token
API to acquire an access token via an authorization_code exchange and concurrently includes the user's profile in the response.
The access_token obtained through this API has a specific validity period that lasts until 3:30 AM the following day, regardless of the time it was generated. For instance, if you generate a token at 8 PM on Tuesday, it will expire at 3:30 AM on Wednesday. This also means that a token created at 2:30 AM on Wednesday will still expire at 3:30 AM on the same Wednesday. Therefore, users are advised to plan their activities accordingly, ensuring they accommodate the token's expiration schedule in their usage.
Header Parameters
| Name | Required | Type | Description |
|---|---|---|---|
| Content-Type | true | string | Indicates the media type of the resource, set as application/x-www-form-urlencoded. |
| Accept | true | string | Defines the content format the client expects, which should be set to application/json. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| code | true | string | The code is a unique parameter included in the URL upon a successful Authorize API authentication. |
| client_id | true | string | The API key obtained during the app generation process. |
| client_secret | true | string | The API secret obtained during the app generation process. This private key remains confidential, known only to the application and the authorization server. |
| redirect_uri | true | string | The URL provided during app generation. |
| grant_type | true | string | This value must always be authorization_code. |
The code sent as part of this request is valid for a single use, regardless of whether the access token generation succeeds or encounters an issue.
- 200
- 4XX
Response Body
{
"email": "******",
"exchanges": ["NSE", "NFO", "BSE", "CDS", "BFO", "BCD"],
"products": ["D", "CO", "I"],
"broker": "UPSTOX",
"user_id": "******",
"user_name": "******",
"order_types": ["MARKET", "LIMIT", "SL", "SL-M"],
"user_type": "individual",
"poa": false,
"is_active": true,
"access_token": "******************"
"extended_token": "******************"
}
| Name | Type | Description |
|---|---|---|
| string | E-mail address of the user | |
| exchanges | string[] | List of exchanges enabled for the user. Valid exchanges can be found in the Exchange Appendix |
| products | string[] | Lists the types of products enabled for the user. Possible values: I, D, CO, MTF |
| broker | string | The broker ID |
| user_id | string | Uniquely identifies the user (commonly referred as UCC) |
| user_name | string | Name of the user |
| order_types | string[] | Order types enabled for the user. Possible values: MARKET, LIMIT, SL, SL-M |
| user_type | string | Identifies the user's registered role with the broker. This will be individual for all retail users |
| poa | boolean | Indicates whether the user has authorized power of attorney for transactions. |
| is_active | boolean | Indicates if the account status is active. |
| access_token | string | The authentication token to be used with every subsequent API request. |
| extended_token | string | This token is designed for prolonged usage, primarily for read-only access to various API endpoints. For more detailed information on the extended token, including its benefits and how to opt for it, please refer to the Extended Token Documentation. |
If a user attempting to log in has no active segments, the error No segments for these users are active. Manual reactivation is recommended from Upstox app/web. will occur, preventing the Token API from generating the access_token. To resolve this, users must manually reactivate their segment through the Upstox web or mobile application before attempting to log in again.
Error codes
| Error code | Description |
|---|---|
| UDAPI100069 | Check your 'client_id' and 'client_secret'; one or both are incorrect. - Thrown when one of the credentials you've passed to this API is invalid. |
| UDAPI100070 | The 'redirect_uri' provided is invalid. Please enter the valid URI and try again. - Thrown when the redirect_uri passed to this API is invalid. |
| UDAPI100057 | Invalid Auth code - Thrown when the code value passed to the API is invalid. |
Examples
A comprehensive set of examples is provided to illustrate various use cases and implementation scenarios for this API. To view detailed examples and access sample code, please refer to: API Examples.