Login endpoint

If you are initiating the OAuth flow on the Sandbox environment (https://oauth-sandbox.staging.qonto.co), please make sure to be logged in on the Sandbox web-app first.

Your app should include a “Connect with Qonto” link that will point the user to our OAuth authentication endpoint: https://oauth.qonto.com/oauth2/auth.

The client will be redirected to qonto.com and will have to enter its login and password.

Once logged in we will redirect back the user to the redirect_uri you provided us in the register form.

https://oauth.qonto.com/oauth2/auth?client_id=<Client ID>&redirect_uri=<Redirect URL>&scope=<Scope>&response_type=code&state=123456789

Example:

https://oauth.qonto.com/oauth2/auth? \
  client_id=my-company-name-v1& \
  redirect_uri=https%3A%2F%2Fmy-company-server.com%2F& \
  response_type=code& \
  scope=organization.read%20offline_access%20attachment.write%20internal_transfer.write& \
  state=123456789

Query parameters

The call to GET https://oauth.qonto.com/oauth2/auth must contain the following query parameters:

client_id

string

required

Unique identifier of your application. The value will be provided by Qonto after you fulfill the initial registration form.

redirect_uri

string

required

URL to redirect the user back to your application after he accept the connection of your application with his account.
☝️ redirect_uri needs to be encoded through this tool.

response_type

string

required

Type of authentication flow. Only code is supported.

scope

string

required

It represents the list of permission that your application is requesting on the user account. It can be a single scope or a list of scopes together. In the latter case, the scopes must be written as a space separated list of values.

Examples:
- Single scope : offline_access
- Multiple scopes: offline_access organization.read payment.write

Use the offline_access scope if you require a refresh token.

Please refer to the API Reference section of this documentation to find which specific scopes are required for the actions you would like to perform. You will find the list of the available scopes here.

state

string

required

It is a security parameters to protect against forgery attacks.

You need to pass a value that is unique to the user authenticating.
At the end of the authentication process, you should compare the received state with the one you provided to make sure they are equals.

organization_id

string

If you want to restrict the user to connect to a specific organization, you can pass the organization_id here. If this parameter is present, then the user won’t be asked to select an organization during the oauth flow.

registration_id

string

Starts the oauth flow with a pre-selected organization, linked to the registration_id obtained during the onboarding flow. If this parameter is provided, then the user won’t be asked to select an organization during the oauth flow.

Response

Successfull response. The user is redirected to https://app.qonto.com/signin.

{
  "error": "invalid_grant",
  "error_verbose": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
  "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
  "status_code": 400
}

This is generally due to a wrong client_id.

Qonto APIs

Business API

Onboarding API

Qonto Embed Web SDK

Login endpoint

Query parameters

Response

Qonto APIs

Business API

Onboarding API

Qonto Embed Web SDK

​Query parameters

​Response

Query parameters

Response