# Tokens

1. **Token Request**: Your application then makes a secure POST request to the Token Endpoint, providing the code along with your `client_id`, `client_secret`, `redirect_uri`, and (if used in step 1) the same `userid`. This step happens server-to-server (backend of your app to AIRisk API) and does not involve the user’s browser.
2. **Token Response**: If the request is valid, the AIRisk authorization server responds with a JSON payload containing an access\_token (and possibly other details like expiration). This token can then be used by your app to authenticate future API requests to AIRisk (usually by including it in an HTTP Authorization: Bearer header).

> **Note**: The AIRisk OAuth2 flow supports two modes of obtaining tokens:
>
> * **Generic tokens** – obtained by omitting the `userid` parameter. These tokens are not tied to any specific end-user; they represent the application’s own access.
> * **User-specific tokens** – obtained by including a `userid`. These tokens represent an authorization on behalf of a particular user. The following sections detail how to use each endpoint and clarify the differences between these token types.

```mermaid
sequenceDiagram
    participant App as Application
    participant Browser as User's Browser
    participant Auth as AIRisk Auth Server

    %% Step 1: Authorization Request initiated by the Application
    App->>Browser: Redirect to<br>/authorize?client_id={client_id}&redirect_uri={redirect_uri}&[userid={userid}]
    note right of App: Ensure that client_id and client_secret are valid for an APIUser<br>and that redirect_uri matches one of the allowed URIs

    %% Step 2: Authorization Code Request via User’s Browser
    Browser->>Auth: GET /authorize?<br>client_id={client_id}, redirect_uri={redirect_uri}, [userid={userid}]
    alt Authorized Request
        Auth-->>Browser: HTTP 302 Redirect<br>Location: {redirect_uri}?code={auth_code}
    else Authorization Error
        Auth-->>Browser: HTTP Error Response<br>(status_code, reason)
    end

    %% Step 3: Token Request from Application Backend
    Browser->>App: Browser lands on {redirect_uri} with auth_code
    App->>Auth: POST /token<br>{ code: {auth_code}, client_id, client_secret, redirect_uri, [userid] }
    alt Valid Token Request
        Auth-->>App: JSON { access_token, expires_in, ... }
    else Token Request Error
        Auth-->>App: HTTP Error Response<br>(status_code, reason, json body)
    end
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aicrisk.com/api-overview/airisk-api-oauth2-authentication/tokens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.