Your app should include a “Connect with Qonto” link that will point the user to our OAuth authentication endpoint: https://oauth.qonto.com/oauth2/auth.

The client will be redirected to qonto.com and will have to enter its login and password.

Once logged in we will redirect back the user to the redirect_uri you provided us in the register form.

https://oauth.qonto.com/oauth2/auth?client_id=<Client ID>&redirect_uri=<Redirect URL>&scope=<Scope>&response_type=code&state=123456789

Example:

https://oauth.qonto.com/oauth2/auth? \
  client_id=my-company-name-v1& \
  redirect_uri=https%3A%2F%2Fmy-company-server.com%2F& \
  response_type=code& \
  scope=organization.read%20offline_access%20attachment.write%20internal_transfer.write& \
  state=123456789

Query parameters

The call to GET https://oauth.qonto.com/oauth2/auth must contain the following query parameters:

client_id
string
required

Unique identifier of your application. The value will be provided by Qonto after you fulfill the initial registration form.

redirect_uri
string
required

URL to redirect the user back to your application after he accept the connection of your application with his account.
☝️ redirect_uri needs to be encoded through this tool.

response_type
string
required

Type of authentication flow. Only code is supported.

scope
string
required

It represents the list of permission that your application is requesting on the user account. It can be a single scope or a list of scopes together. In the latter case, the scopes must be written as a space separated list of values.

Examples:
- Single scope : offline_access
- Multiple scopes: offline_access organization.read payment.write

Use the offline_access scope if you require a refresh token.

Please refer to the API Reference section of this documentation to find which specific scopes are required for the actions you would like to perform. You will find the list of the available scopes here.

state
string
required

It is a security parameters to protect against forgery attacks.

You need to pass a value that is unique to the user authenticating.
At the end of the authentication process, you should compare the received state with the one you provided to make sure they are equals.

organization_id
string

If you want to restrict the user to connect to a specific organization, you can pass the organization_id here. If this parameter is present, then the user won’t be asked to select an organization during the oauth flow.

registration_id
string

Starts the oauth flow with a pre-selected organization, linked to the registration_id obtained during the onboarding flow. If this parameter is provided, then the user won’t be asked to select an organization during the oauth flow.

Response

Successfull response. The user is redirected to https://app.qonto.com/signin.