> ## Documentation Index > Fetch the complete documentation index at: https://help-plum.xoxoday.com/llms.txt > Use this file to discover all available pages before exploring further. # Creating User Tokens using Company Token > Exchange a Company Bearer token for a User-scoped access token. Pass your Company-level Bearer token in the `Authorization` header. The response returns a full token set scoped to the specified user session. | \*\*Property \*\* | \*\* Type \*\* | \*\* Description\*\* | | :---------------- | :------------- | :---------------------------------------------------------------- | | `user_input` | `String` | Super Admin email address. | | `scope` | `String` | Permission scope being assigned/validated (e.g., `user_session`). | ## Response Schema | \*\*Path \*\* | \*\* Type \*\* | \*\* Description\*\* | | ---------------------- | -------------- | --------------------------------------------------------- | | access\_token | string | Newly generated access token for the user. | | token\_type | string | Always `"bearer"`. | | expires\_in | number | Token validity duration in seconds. | | refresh\_token | string | Token used to regenerate a new access token once expired. | | access\_token\_expiry | number | Epoch timestamp (ms) when the access token expires. | | refresh\_token\_expiry | number | Epoch timestamp (ms) when the refresh token expires. | ## OpenAPI ````yaml specs/reward-points-api.yaml POST /token/create/user openapi: 3.0.3 info: title: Xoxoday Reward Points API version: '1.2' description: > APIs for sending, fetching, and cancelling reward points in the Xoxoday ecosystem. **Auth endpoints** use operation-level server overrides against `https://stagingstores.xoxoday.com/chef/v1/oauth`. **Points operations** (`/fetchPoints`, `/sendPoints`, `/cancelPoints`) are virtual path suffixes — all three really dispatch to `POST /v1/oauth/api` via the body `query` field. OpenAPI does not allow two POST operations on the same path, so virtual suffixes are used for playground differentiation. **Cancel Points** uses `accounts.xoxoday.com` as its real host (operation-level server override applied). servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth/api description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth/api description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth/api description: Testing security: - BearerAuth: [] tags: - name: Authentication description: Token management — validate, refresh, and create user tokens. - name: Points description: Send, fetch, and cancel reward points. paths: /token/create/user: post: tags: - Authentication summary: Creating User Tokens using Company Token description: > Exchange a Company Bearer token for a User-scoped access token. Pass your Company-level Bearer token in the `Authorization` header. The response returns a full token set scoped to the specified user session. operationId: createUserToken requestBody: required: true content: application/json: schema: type: object required: - user_input - scope properties: user_input: type: string format: email description: Super Admin email address. example: your.email@example.com scope: type: string description: Permission scope being assigned. Use `user_session`. example: user_session example: user_input: your.email@example.com scope: user_session responses: '200': description: User-scoped tokens issued successfully. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' example: access_token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... token_type: bearer expires_in: 1296000 refresh_token: dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4... access_token_expiry: 1718000000000 refresh_token_expiry: 1720000000000 '401': $ref: '#/components/responses/Unauthorized' servers: - url: https://stagingstores.xoxoday.com/chef/v1/oauth description: Sandbox - url: https://accounts.xoxoday.com/chef/v1/oauth description: Production - url: https://canvas.xoxoday.com/chef/v1/oauth description: Testing components: schemas: TokenResponse: type: object properties: access_token: type: string description: Newly generated access token. token_type: type: string example: bearer expires_in: type: integer description: Access token validity in seconds. refresh_token: type: string description: New refresh token (old one is immediately invalidated). access_token_expiry: type: number description: Epoch timestamp (ms) when the access token expires. refresh_token_expiry: type: number description: Epoch timestamp (ms) when the refresh token expires. responses: Unauthorized: description: Missing or invalid access token. content: application/json: schema: type: object properties: error: type: string example: Unauthorized securitySchemes: BearerAuth: type: http scheme: bearer description: '`Authorization: Bearer `' ````