Retrieve the access token issued by a third-party enterprise SSO provider

GET /api/my-account/sso-identities/{connectorId}/access-token

This API retrieves the access token issued by a third-party enterprise SSO provider for a given SSO connector ID. Access is only available if token storage is enabled for the corresponding connector. When a user authenticates through a SSO provider, Logto automatically stores the provider’s tokens in an encrypted form. You can use this API to securely retrieve the stored access token and use it to access third-party APIs on behalf of the user.

Path parameters

connectorId string Required

The unique identifier of the connector.

Responses

200 application/json

The access token was retrieved successfully.
Hide response attributes Show response attributes object
- access_token string Required
- scope string
- token_type string
- expires_in number | string
  
  One of:
  number-1 number string-2 string
400

Bad Request
401

Permission denied, the access_token is expired and the offline_access scope is not granted or expired.
403

Forbidden
404

The SSO connector does not exist or the access token is not available.

GET /api/my-account/sso-identities/{connectorId}/access-token

curl \
 --request GET 'https://[tenant_id].logto.app/api/my-account/sso-identities/{connectorId}/access-token' \
 --header "Authorization: Bearer $ACCESS_TOKEN"

Response examples (200)

{
  "access_token": "string",
  "scope": "string",
  "token_type": "string",
  "expires_in": 42.0
}