Exchange the
codefrom the previous step for a user access token by making aPOSTrequest to this URL, along with the following query parameters:{% data variables.product.oauth_host_code %}/login/oauth/access_tokenQuery parameter Type Description client_idstringRequired. The client ID for your {% data variables.product.prodname_github_app %}. The client ID is different from the app ID. You can find the client ID on the settings page for your app. For more information about navigating to the settings page for your {% data variables.product.prodname_github_app %}, see AUTOTITLE. client_secretstringRequired. The client secret for your {% data variables.product.prodname_github_app %}. You can generate a client secret on the settings page for your app. codestringRequired. The code you received in the previous step. redirect_uristringThe URL in your application where users will be sent after authorization. This must be an exact match to one of the URLs you provided as a "Callback URL" when setting up your {% data variables.product.prodname_github_app %} and can't contain any additional parameters.
{% ifversion pkce_support %} code_verifier | string | Strongly recommended. Used to secure the authentication flow with PKCE (Proof Key for Code Exchange). Required if code_challenge was sent during the user authorization. Must be the original value used to generate the code_challenge in the authorization request. This can be stored in a cookie alongside the state parameter or in a session variable during authentication, depending on your application architecture.{% endif %}
repository_id | string | The ID of a single repository that the user access token can access. If the {% data variables.product.prodname_github_app %} or user cannot access the repository, this will be ignored. Use this parameter to restrict the access of the user access token further.