# Exchange OIDC LoginGrant code for JWTs

Exchanges a one-time LoginGrant code produced by the SPA OIDC callback for a pair of JWT access/refresh tokens and the current user payload. The code is single-use and expires after a short time window.

Endpoint: POST /auth/oidc/exchange
Version: 1.0.0

## Request fields (application/json):

  - `code` (string, required)
    One-time login code issued by the OIDC callback.

## Response 200 fields (application/json):

  - `access` (string, required)
    Short-lived JWT access token.

  - `refresh` (string, required)
    Long-lived JWT refresh token.

  - `user` (object, required)

  - `user.id` (integer, required)

  - `user.username` (string, required)
    Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.

  - `user.firstName` (string, required)

  - `user.lastName` (string, required)

  - `user.uuid` (string)

  - `user.groups` (array, required)
    Enum: "ADM View Only", "ADM Planner", "ADM Flight Manager", "ADM Resource Configurator", "ADM Rules & Tags Configurator"

## Response 400 fields (application/json):

  - `detail` (string, required)