Get Access Token

POSThttps://exchange.gemini.com/auth/token

Once you have received an authorization code from the Authorization Request, you can exchange it for access and refresh tokens. Access tokens are short-lived (24 hour expiration) and are used as authentication against Gemini APIs, while refresh tokens never expire and are used to regenerate access tokens.

Public clients

Public clients send

Code

code_verifier

instead of

Code

client_secret

— omit

Code

client_secret

entirely, or the request will fail. See Public Clients and PKCE.

POSTauth/token

curl --request POST \
  --url https://exchange.gemini.com/auth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_id": "my_id",
  "client_secret": "my_secret",
  "code": "90123465-86ee-44ef-b4e3-835cc89bc8a3",
  "redirect_uri": "www.example.com/redirect",
  "grant_type": "authorization_code"
}
'

Request Body

client_idstring·required

Unique ID of your application. This is provided in your API settings.

client_secretstring

Secret of your application, provided when you register a confidential client in API settings. Confidential clients only — public clients must not send this, and a request that includes it will fail.

codestring·required

The authorization code received from the Authorization Request.

redirect_uristring·required

Must match the redirect_uri provided in the Authorization Request.

grant_typestring·required

The literal string "authorization_code".Example: authorization_code

code_verifierstring

Required for public clients. The original

Code

code_verifier

you generated before the authorization request (43–128 characters from

Code

[A-Za-z0-9-._~]

). Gemini hashes it and compares it to the

Code

code_challenge

you sent.

Responses

Access and refresh tokens successfully issued

access_tokenstring

A short-lived token to use in API call authentication. Valid until the expires_in time reaches 0.

refresh_tokenstring

A refresh token to be used to generate new access tokens.

token_typestring

The literal string "bearer".

scopestring

The OAuth scopes the access token will have access to.

expires_ininteger

The lifetime in seconds of the access token, as measured from the current time.

PreviousAuthorization Request NextRefresh Access Token

Last modified on June 17, 2026

curl --request POST \ --url https://exchange.gemini.com/auth/token \ --header 'Content-Type: application/json' \ --data ' { "client_id": "my_id", "client_secret": "my_secret", "code": "90123465-86ee-44ef-b4e3-835cc89bc8a3", "redirect_uri": "www.example.com/redirect", "grant_type": "authorization_code" } '

Request Body

client_idstring·required

Unique ID of your application. This is provided in your API settings.

client_secretstring

codestring·required

The authorization code received from the Authorization Request.

redirect_uristring·required

Must match the redirect_uri provided in the Authorization Request.

grant_typestring·required

The literal string "authorization_code".Example: authorization_code

code_verifierstring

Required for public clients. The original

Code

code_verifier

you generated before the authorization request (43–128 characters from

Code

[A-Za-z0-9-._~]

). Gemini hashes it and compares it to the

Code

code_challenge

you sent.

Responses

Access and refresh tokens successfully issued

access_tokenstring

A short-lived token to use in API call authentication. Valid until the expires_in time reaches 0.

refresh_tokenstring

A refresh token to be used to generate new access tokens.

token_typestring

The literal string "bearer".

scopestring

The OAuth scopes the access token will have access to.

expires_ininteger

The lifetime in seconds of the access token, as measured from the current time.