In your /oauth2/authorize URL, I see that you're using the 'response_type=code' flow, which means you're using the OAuth 2 "code flow". In this flow, the code that you get back from that page is an "authorization code", not an "access token". When using the code flow, you need to then exchange the authorization code for an access token by calling /oauth2/token. The /oauth2/token response will contain the access token that you can then use to make actual API calls. (Attempting to use an authorization code in place of an access token to attempt to make actual API calls will result in an 'invalid_access_token' error.) You can find more information on how the OAuth flow works in the OAuth Guide, as well as the authorization documentation.