Skip to main content

Token exchange

Token exchange is how your backend turns a partner-signed JWT into the Zapier token(s) you need at runtime:
  • an access token (Bearer) for server-side API calls
  • a session code for launching the Connect UI in the browser
Both are obtained from the same endpoint: 
POST https://zapier.com/oauth/token

The two token types

Access token (Bearer)

Use an access token for server-side API calls, such as:
  • listing a user’s existing connections
  • running actions
  • polling action run status
Treat access tokens as secrets. Keep them server-side and never expose them in the browser.

Session code (Connect UI)

Use a session code when you need to send the end user through the Connect UI to create or refresh a connection. In the Connect URL, the session code is passed as the token query parameter.

Typical pattern: request both (in two exchanges)

Most partners do two token exchange requests:
  1. Access token: so your backend can list/reuse existing connections and make subsequent API calls.
  2. Session code: only when you need to open Connect UI (e.g. first-time connection or reconnect).
Which token you receive depends on request parameters (notably requested_token_type and scope).

Output and next steps

What you do with the result depends on what you requested:
  • Access token: keep server-side; use it for API calls.
  • Session code: send to your frontend only for launching Connect UI (it is short-lived and should not be cached).
Next: see Connection flow for popup vs redirect patterns, reconnecting, and callback parameters.