> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Social with Provider's Access Token

> Deprecated endpoint for authenticating users with a social provider's access token; use browser-based social login instead.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/access_token`

<Note>
  This endpoint is part of the legacy authentication pipeline. We recommend that you open the browser to do social authentication instead, which is what [Google and Facebook are recommending](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). For more information on the latest authentication pipeline refer to [Introducing OIDC Conformant Authentication](/api-auth/intro).

  This feature is disabled by default for new tenants as of 8 June 2017. Please see [Application Grant Types](/applications/concepts/application-grant-types) for more information.
</Note>

Given the social provider's Access Token and the `connection`, this endpoint will authenticate the user with the provider and return a JSON with the Access Token and, optionally, an ID Token. This endpoint only works for Facebook, Google, Twitter, and Weibo.

### Remarks

* The `profile` scope value requests access to the End-User's default profile Claims, which are: `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at`.

* The `email` scope value requests access to the `email` and `email_verified` Claims.

### Learn More

* [Call an Identity Provider API](https://auth0.com/docs/authenticate/identity-providers/calling-an-external-idp-api)
* [Identity Provider Access Tokens](https://auth0.com/docs/secure/tokens/access-tokens/identity-provider-access-tokens)
* [Add scopes/permissions to call Identity Provider's APIs](https://auth0.com/docs/authenticate/identity-providers/adding-scopes-for-an-external-idp)

## Body Parameters

<ParamField body="client_id" type="string" required>
  The `client_id` of your application.
</ParamField>

<ParamField body="access_token" type="string" required>
  The social provider's Access Token.
</ParamField>

<ParamField body="connection" type="string" required>
  The name of an identity provider configured to your app.
</ParamField>

<ParamField body="scope" type="string">
  Use `openid` to get an ID Token, or `openid profile email` to include user information.
</ParamField>

## Response Schema

<ResponseSchema statusCode="200">
  <ResponseField name="id_token" type="string">
    The ID token.
  </ResponseField>

  <ResponseField name="access_token" type="string">
    The access token.
  </ResponseField>

  <ResponseField name="token_type" type="string">
    The type of token. Usually `Bearer`.
  </ResponseField>
</ResponseSchema>

<ResponseSchema statusCode="400 / 401 / 403">
  <ResponseField name="error" type="string">
    Error code.
  </ResponseField>

  <ResponseField name="error_description" type="string">
    Error description.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status  | Description                        |
| ------- | ---------------------------------- |
| 200     | Successful authentication response |
| 400     | Bad Request                        |
| 401     | Unauthorized                       |
| 403     | Forbidden                          |
| default | Unexpected error                   |