Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
RFC6749 4.1. Authorization Code Grant -> 4.1.3. Access Token Request
The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body...
curl -v -i -k -H "Authorization: OAuth" -X POST https://example.com/orestapi/oauth2/access_token?grant_type=authorization_code&code=Sgw7P0b5XaDvedkrK1SRe6kTVG4&redirect_uri=URI&client_id=M3SIwV0JqDyguvhmV0nlvsMJz75DR48c&client_secret=bHOKmLn4PHsGL0sHQiTcSAyHCtZjrOGy
RFC6749 4.1. Authorization Code Grant -> 4.1.4. Access Token Response
If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.1. If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2.