> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Back-Channel Login flow - Status Check

> Poll the token endpoint to check the status of a pending Back-Channel Login request.

## Endpoint

`POST /oauth/token`

To check on the status of a Back-Channel Login flow, poll the `/oauth/token` endpoint at regular intervals by passing the following:

* `auth_req_id` returned from the call to `/bc-authorize`
* `urn:openid:params:grant-type:ciba` grant type

### Response Body

If the authorizing user has not yet approved or rejected the request, you should receive a response like the following:

```http theme={null}
{ 
  "error": "authorization_pending", 
  "error_description": "The end-user authorization is pending"
}
```

If the authorizing user rejects the request, you should receive a response like the following:

```http theme={null}
{
  "error": "access_denied",
  "error_description": "The end-user denied the authorization request or it has been expired"
}
```

If you are polling too quickly (faster than the interval value returned from `/bc-authorize`), you should receive a response like the following:

```http theme={null}
{
  "error": "slow_down",
  "error_description": "You are polling faster than allowed. Try again in 10 seconds."
}
```

In addition, Auth0 will add the [Retry-After](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After) header to the response indicating how many seconds to wait before attempting to poll again. If you consistently poll too frequently, the number of seconds you must wait increases.

If the authorizing user has approved the push notification, the call returns the ID token and access token (and potentially a refresh token):

```http theme={null}
{
  "access_token": "eyJh...",
  "id_token": "eyJh...",
  "expires_in": 86400,
  "scope": "openid"
}
```

Once you have exchanged an `auth_req_id` for an ID or access token, it is no longer usable.

### Remarks

Include an optional parameter for application authentication in the request:

* Client Secret with HTTP Basic auth, in which case no parameters are required. The `client_id` and `client_secret` are passed in a header.
* Client Secret Post, in which case the `client_id` and `client_secret` are required.
* Private Key JWT, where the `client_id`, `client_assertion`, and `client_assertion` type are required.
* mTLS, where the `client_id` parameter is required and the `client-certificate` and `client-certificate-ca-verified` headers are required.

## Body Parameters

<ParamField body="client_id" type="string" required>
  The `client_id` of your application.
</ParamField>

<ParamField body="auth_req_id" type="string" required>
  The `auth_req_id` returned from the `/bc-authorize` endpoint.
</ParamField>

<ParamField body="grant_type" type="string" required>
  Must be set to `urn:openid:params:grant-type:ciba`.
</ParamField>

## Response Messages

| Status | Description                      |
| ------ | -------------------------------- |
| 200    | Authentication status returned.  |
| 400    | Bad Request - Invalid parameters |
| 500    | Internal Server Error            |