> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maxcare.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange authorization code for user info

> Exchanges an OAuth 2.0 authorization code for an OIDC id_token and user context. Authenticate with your app's API key in the Authorization header. No X-Organization-Id header required. Errors follow OAuth 2.0 spec format (RFC 6749).



## OpenAPI

````yaml /openapi-v4.json post /oauth/token
openapi: 3.0.0
info:
  title: Max AI Public API
  description: API for third-party marketplace apps
  version: '4.0'
  contact: {}
servers:
  - url: https://api.maxcare.ai/v4
security: []
tags: []
paths:
  /oauth/token:
    post:
      tags:
        - OAuth
      summary: Exchange authorization code for user info
      description: >-
        Exchanges an OAuth 2.0 authorization code for an OIDC id_token and user
        context. Authenticate with your app's API key in the Authorization
        header. No X-Organization-Id header required. Errors follow OAuth 2.0
        spec format (RFC 6749).
      operationId: OAuthPublicController_exchangeToken
      parameters:
        - name: X-Organization-Id
          in: header
          required: true
          schema:
            type: string
          description: Target clinic organization ID
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TokenExchangeRequestDto'
      responses:
        '200':
          description: Token exchange successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenExchangeResponseDtoV3'
        '400':
          description: Invalid request or grant
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthErrorDto'
        '401':
          description: Invalid or missing API key
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthErrorDto'
      security:
        - api-key: []
components:
  schemas:
    TokenExchangeRequestDto:
      type: object
      properties:
        grant_type:
          type: string
          description: Must be 'authorization_code'
          example: authorization_code
        code:
          type: string
          description: The authorization code received from the callback
          example: d4d9cccb37643c5913fe649d1880889a...
        redirect_uri:
          type: string
          description: Must match the redirect_uri used in the authorize request
          example: https://myapp.com/auth/callback
      required:
        - grant_type
        - code
        - redirect_uri
    TokenExchangeResponseDtoV3:
      type: object
      properties:
        id_token:
          type: string
          description: OIDC id_token (ES256-signed JWT)
          example: eyJhbGciOiJFUzI1NiIs...
        user:
          $ref: '#/components/schemas/OAuthUserDtoV3'
        authorizedOrganizations:
          type: array
          items:
            $ref: '#/components/schemas/OAuthOrganizationDtoV3'
      required:
        - id_token
        - user
        - authorizedOrganizations
    OAuthErrorDto:
      type: object
      properties:
        error:
          type: string
          description: OAuth 2.0 error code
          example: invalid_grant
          enum:
            - invalid_request
            - invalid_grant
            - invalid_client
            - unsupported_grant_type
            - unauthorized_client
            - server_error
        error_description:
          type: string
          description: Human-readable error description
          example: Authorization code has expired
      required:
        - error
        - error_description
    OAuthUserDtoV3:
      type: object
      properties:
        id:
          type: string
          example: usr_1231b6f32b4f4b8f8eeb4f7806bc45b0
        email:
          type: string
          example: jane@clinic.com
        firstName:
          type: string
          nullable: true
          example: Jane
        lastName:
          type: string
          nullable: true
          example: Doe
        imageUrl:
          type: string
          nullable: true
          example: https://img.clerk.com/...
      required:
        - id
        - email
    OAuthOrganizationDtoV3:
      type: object
      properties:
        id:
          type: string
          example: org_7e2c8cfeb7a94deb986de7012589e72b
        name:
          type: string
          example: Dermatology Clinic
        role:
          type: string
          nullable: true
          example: admin
        facilities:
          type: array
          items:
            $ref: '#/components/schemas/OAuthFacilityDtoV3'
      required:
        - id
        - name
        - facilities
    OAuthFacilityDtoV3:
      type: object
      properties:
        id:
          type: string
          example: fac_a1b2c3d4e5f67890abcdef1234567890
        name:
          type: string
          example: Main Office
        address:
          type: string
          nullable: true
          example: 123 Main St, Austin, TX 78701
      required:
        - id
        - name
  securitySchemes:
    api-key:
      scheme: bearer
      bearerFormat: JWT
      type: http
      description: Marketplace API key

````