{
  "openapi": "3.0.1",
  "info": {
    "version": "1.0.0",
    "title": "Auth Token Generator",
    "description": "Generates OAuth2 access tokens using client credentials flow.\n\nHow to use this token in other API Specs pages:\n1. Open this **Auth Token Generator** Api Spec.\n2. Run Generate Access Token `POST /oauth2/v2.0/token` with your `client_id`, `client_secret`, `grant_type=client_credentials`, and `scope`.\n3. From the 200 response, copy the full `access_token` value.\n4. Open the target API Spec page (for example, Patron API).\n5. Click the **Authorize** (lock) button.\n6. In the authorization modal, locate the `Value` field for bearer token.\n7. Paste token as: `<access_token>`.\n8. Click **Authorize**, then **Close**.\n9. Execute the target API operation.\n\nImportant:\n- If calls return 401/403, regenerate token and authorize again."
  },
  "servers": [
    {
      "url": "https://login.microsoftonline.com/08bfd489-e14a-4c52-b0f7-9fe62429ce8e",
      "description": "Lower environment"
    }
  ],
  "tags": [
    {
      "name": "AuthToken",
      "description": "Token generation endpoints"
    }
  ],
  "paths": {
    "/oauth2/v2.0/token": {
      "post": {
        "tags": [ "AuthToken" ],
        "summary": "Generate access token",
        "description": "Generates an OAuth2 access token using the client credentials flow.\n\nRequired form fields: `client_id`, `client_secret`, `grant_type`, `scope`.\n\nAfter execution, copy `access_token` from the response and pass it to protected APIs.\n\nToken request curl:\n```bash\ncurl -X POST \"https://login.microsoftonline.com/08bfd489-e14a-4c52-b0f7-9fe62429ce8e/oauth2/v2.0/token\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  --data-urlencode \"client_id=<client-id>\" \\\n  --data-urlencode \"client_secret=<client-secret>\" \\\n  --data-urlencode \"grant_type=client_credentials\" \\\n  --data-urlencode \"scope=api://<proxy-client-id>/.default\"\n```",
        "requestBody": {
          "required": true,
          "content": {
            "application/x-www-form-urlencoded": {
              "schema": {
                "type": "object",
                "required": [ "client_id", "client_secret", "grant_type", "scope" ],
                "properties": {
                  "client_id": {
                    "type": "string",
                    "description": "Application (client) ID from Azure AD app registration"
                  },
                  "client_secret": {
                    "type": "string",
                    "format": "password",
                    "description": "Client secret from Azure AD app registration"
                  },
                  "grant_type": {
                    "type": "string",
                    "enum": [ "client_credentials" ],
                    "description": "OAuth2 grant type for this flow"
                  },
                  "scope": {
                    "type": "string",
                    "description": "Scope format: api://{proxy-client-id}/.default"
                  }
                },
                "additionalProperties": false
              }
            }
          }
        },
        "responses": {
          "200": {
            "description": "Token response. Copy `access_token` and use it in `Authorization: Bearer <access_token>`.",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/TokenResponse"
                },
                "example": {
                  "token_type": "Bearer",
                  "expires_in": 3599,
                  "access_token": "eyJ0eXAiOiJKV1QiLCJ..."
                }
              }
            }
          },
          "400": { "description": "Bad request" },
          "500": { "description": "Server error" }
        }
      }
    }
  },
  "components": {
    "securitySchemes": {
      "BearerAuth": {
        "type": "http",
        "scheme": "bearer",
        "bearerFormat": "JWT",
        "description": "Paste token in format: `Bearer <access_token>`."
      }
    },
    "schemas": {
      "TokenGenerateRequest": {
        "type": "object",
        "required": [ "client_id", "client_secret", "grant_type", "scope" ],
        "properties": {
          "client_id": {
            "type": "string",
            "description": "Application (client) ID from Azure AD app registration"
          },
          "client_secret": {
            "type": "string",
            "description": "Client secret from Azure AD app registration"
          },
          "grant_type": {
            "type": "string",
            "enum": [ "client_credentials" ],
            "example": "client_credentials",
            "description": "OAuth2 grant type for this flow"
          },
          "scope": {
            "type": "string",
            "description": "Scope for the token, typically in the format `api://<proxy-client-id>/.default`"
          }
        },
        "additionalProperties": false
      },
      "TokenResponse": {
        "type": "object",
        "properties": {
          "token_type": {
            "type": "string",
            "example": "Bearer"
          },
          "expires_in": {
            "type": "integer",
            "format": "int32",
            "example": 3599
          },
          "access_token": {
            "type": "string",
            "description": "Copy this value and pass it as `Authorization: Bearer <access_token>` in protected API calls."
          }
        }
      }
    }
  }
}