Home
Documentation
Documentation
Step 4: Call the Resource
You have an access token from Step 3. Now use it.
Steps 1–3 are identical regardless of what you're calling. Only this step changes. Select the resource type you're targeting:
Calling a REST API
Send the access token as a Bearer token in the Authorization header.
Get All Todos
Get Todo Statistics
Get Completed Todos
Available endpoints
All endpoints require todos.read scope.
| Method | Path | Description |
|---|---|---|
GET | /api/todos | Get all todos |
GET | /api/todos/completed | Get completed todos only |
GET | /api/todos/incomplete | Get incomplete todos only |
GET | /api/todos/stats | Get statistics |
Response
JSON
Error handling
These errors apply to both REST and MCP calls.
| Error | Cause | Fix |
|---|---|---|
401 Unauthorized | Token missing, expired, or invalid signature | Re-run Steps 2–3 to get a fresh token |
403 Forbidden | Token valid but scope insufficient | Check scope claim in the decoded access token |
406 Not Acceptable | MCP only; wrong or missing Accept header | Add Accept: application/json, text/event-stream |
Token refresh strategy
Access tokens expire after ~2 hours. On 401:
- If your ID Token is still valid, re-run Step 2 (Token Exchange) then Step 3 (JWT Bearer Grant).
- If the ID Token is also expired, the user must re-authenticate (Step 1).
Security considerations
- Use the
Authorizationheader: Always send tokens asAuthorization: Bearer <token>. Never pass tokens in query strings or URL fragments. - Token refresh: Access tokens expire after ~2 hours. On
401, re-run Steps 2–3 if your ID Token is still valid, or re-authenticate from Step 1 if it has expired. - HTTPS only: Always use HTTPS when calling resource servers in production. Tokens sent over plain HTTP can be intercepted.
- Minimal scope: Request only the scopes your application needs. Broader tokens increase the impact of a compromise.
Next step
You've completed the XAA integration guide.
- Error Codes: debug auth errors
On this page