[DOCS] Edits the get tokens API (#45312)

x-pack/docs/en/rest-api/security/get-tokens.asciidoc

@@ -12,6 +12,10 @@ Creates a bearer token for access without requiring basic authentication.
 
 `POST /_security/oauth2/token` 
 
+[[security-api-get-token-prereqs]]
+==== {api-prereq-title}
+
+* To use this API, you must have the `manage_token` cluster privilege.
 
 [[security-api-get-token-desc]]
 ==== {api-description-title}
@@ -45,33 +49,56 @@ The following parameters can be specified in the body of a POST request and
 pertain to creating a token:
 
 `grant_type`::
-(string) The type of grant. Supported grant types are: `password`, `_kerberos`,
-`client_credentials` and `refresh_token`. The `_kerberos` grant type
-is supported internally and implements SPNEGO based Kerberos support. The `_kerberos`
-grant type may change from version to version.
+(Required, string) The type of grant.
+Supported grant types are: `password`, `_kerberos`,
+`client_credentials` and `refresh_token`.
+
+`client_credentials`:::
+This grant type implements the Client Credentials Grant of OAuth2. It is geared
+for machine to machine communication and is not suitable or designed for the
+self-service user creation of tokens. It generates only access tokens that
+cannot be refreshed. The premise is that the entity that uses
+`client_credentials` has constant access to a set of (client, not end-user)
+credentials and can authenticate itself at will. 
+
+`_kerberos`::: 
+This grant type is supported internally and implements SPNEGO based Kerberos
+support. The `_kerberos` grant type may change from version to version.
+
+`password`:::
+This grant type implements the Resource Owner Password Credentials Grant of
+OAuth2. In this grant, a trusted client exchanges the end user's credentials
+for an access token and (possibly) a refresh token. The request needs to be made
+by an authenticated user but happens _on behalf_ of another authenticated user
+(the one whose credentials are passed as request parameters). This grant type is
+not suitable or designed for the self-service user creation of tokens.
+
+`refresh_token`:::
+This grant type implements the Refresh Token Grant of OAuth2.
+In this grant a user exchanges a previously issued refresh token for a new access token and a new refresh token.
 
 `password`::
-(string) The user's password. If you specify the `password` grant type, this 
+(Optional^*^, string) The user's password. If you specify the `password` grant type, this
 parameter is required. This parameter is not valid with any other supported
 grant type.
 
 `kerberos_ticket`::
-(string) base64 encoded kerberos ticket. If you specify the `_kerberos` grant type,
-this parameter is required. This parameter is not valid with any other supported
-grant type.
+(Optional^*^, string) The base64 encoded kerberos ticket. If you specify the
+`_kerberos` grant type, this parameter is required. This parameter is not valid
+with any other supported grant type.
 
 `refresh_token`::
-(string) If you specify the `refresh_token` grant type, this parameter is 
-required. It contains the string that was returned when you created the token 
-and enables you to extend its life. This parameter is not valid with any other
+(Optional^*^, string) The string that was returned when you created the token, 
+which enables you to extend its life. If you specify the `refresh_token` grant
+type, this parameter is required. This parameter is not valid with any other
 supported grant type.
 
 `scope`::
-(string) The scope of the token. Currently tokens are only issued for a scope of
+(Optional, string) The scope of the token. Currently tokens are only issued for a scope of
 `FULL` regardless of the value sent with the request.
 
 `username`::
-(string) The username that identifies the user. If you specify the `password` 
+(Optional^*^, string) The username that identifies the user. If you specify the `password` 
 grant type, this parameter is required. This parameter is not valid with any
 other supported grant type.