Skip to content
  • SDKs and APIs
  • Your APIs

Get a user access token to test your APIs

This doc describes how to test user access tokens for your API connection, using Postman and Authorization code (with PKCE).

You can use this process to request tokens for your own and third-party APIs, and to test custom scopes added to claims. Below are the steps to generate id and access tokens with Postman.

For instruction on how to test M2M tokens, see XREF.

Before you begin

Link to this section
Link to this section

If you use audiences in your application, we recommend you register your API with Kinde so that you can include audience in the token request.

An audience defines the recipient of the token and ensures the token can only be used by the intended system. You can trust the token as is, but we would recommend you to use the API authentication using audience.

If you haven’t already, register your API with Kinde and set the audience.

Add custom scopes to the access token

Link to this section

If you have the relevant Kinde plan, and your API is registered, you can add custom scopes to user access tokens for added API security. You might want to test these as part of this procedure.

Step 1: Add callback URLs to your application in Kinde

Link to this section
  1. In Kinde, go to Settings > Applications.
  2. Select View details on the tile for the application you’re testing.
  3. In the Allowed callback URLs section, add this Postman callback URL, as a separate entry on a new line.
  4. Select Save.

Step 2: Send request via Postman

Link to this section

If you are using audiences in your application, we recommend you

  1. In Postman, create a new GET request.

  2. Go to the Authorization tab.

  3. In the Type field, select OAuth 2.0.

  4. Scroll down to the Configure New Token section and set the Grant Type as Authorization Code (With PKCE).

  5. Select the Authorize using browser checkbox.

  6. Set the Auth URL. For example:


    • is the domain
    • prompt=login forces asking for user credentials every login to disable SSO.
  7. (If you’ve registered your API and use audience claims in your product) Add the audience key to the token request, with a value of Note that Kinde supports multiple audiences.

    ℹ️ Older versions of Postman Add the audience parameter to the request url, e.g. ?prompt=login &audience=

  8. In the Access Token URL field enter your Kinde domain URL, e.g.

  9. In the Client ID field, add the Client ID listed in the application the API is authorized for. You can find this in Kinde by going to Settings > Applications > View details > App keys section.

  10. If you are testing a back-end app, Enter the Client Secret. This can be left blank for front-end apps.

  11. Set the Code Challenge Method to SHA-256.

  12. Leave the Code verifier field blank.

  13. Set the value of Scope to openid email offline.

  14. Enter a random value in the State field. It must be at least 8 characters long.

  15. Select Get New Access Token. This should be the result:

    • The ID token contains an aud claim for two audiences, one for the application ID, one for the issuing party.
    • The Access token contains the aud claim for the requested (intended) audience to authenticate the API.
    • The azp claim represents the application client_id you are using to issue the token.
  16. The access token you received can now be used to test and secure your APIs.

    Access token in Postman

Step 3: Validate the token in your API

Link to this section

Check that the token contains the required information and is valid for accessing your application or site. Test may vary depending on your framework, here’s a general topic for verifying JWTs and some recommended libraries.

Things to check, include:

  • Audience
  • Lifetime / validity
  • Scopes