# Create an OAuth token

Creates a bearer token that enables an OAuth client to authenticate with the Zuora REST API. The OAuth client must have been created using the Zuora UI. See Authentication for more information.

Note: When using this operation, do not set any authentication headers such as Authorization, apiAccessKeyId, or apiSecretAccessKey.

You should not use this operation to generate a large number of bearer tokens in a short period of time; each token should be used until it expires. If you receive a 429 Too Many Requests response when using this operation, reduce the frequency of requests. This endpoint is rate limited by IP address.

For the rate limit information of authentication, see Rate and concurrent request limits.

Endpoint: POST /oauth/token
Version: 2026-02-20
Security: 

## Header parameters:

  - `Zuora-Track-Id` (string)
    A custom identifier for tracing the API call. If you set a value for this header, Zuora returns the same value in the response headers. This header enables you to associate your system process identifiers with Zuora API calls, to assist with troubleshooting in the event of an issue.

The value of this field must use the US-ASCII character set and must not include any of the following characters: colon (:), semicolon (;), double quote ("), and quote (').

  - `Zuora-Entity-Ids` (string)
    An entity ID if you have Multi-entity enabled. 

The value must be a 36-character UUID that contains hyphens(-). 
If your entity ID is not a valid UUID, convert it to a valid UUID before specifying this parameter.
    Example: "11e643f4-a3ee-8bad-b061-0025904c756d"

## Request fields (application/x-www-form-urlencoded):

  - `client_id` (string, required)
    The Client ID of the OAuth client.

  - `client_secret` (string, required)
    The Client Secret that was displayed when the OAuth client was created.

  - `grant_type` (string, required)
    The OAuth grant type that will be used to generate the token. The value of this parameter must be client_credentials.
    Enum: "client_credentials"

## Response 200 fields (application/json):

  - `access_token` (string)
    The generated token.

  - `expires_in` (number)
    The number of seconds until the token expires.

  - `jti` (string)
    A globally unique identifier for the token.

  - `scope` (string)
    A space-delimited list of scopes that the token can be used to access.

  - `token_type` (string)
    The type of token that was generated, i.e., bearer.


## Response 429 fields