Token endpoint

This endpoint should retrieve the code parameter send in the URL params.

Once this is done your are ready to call the /oauth2/token endpoint to exchange this verification code for an access token and a refresh token.

The access_token is valid for 1 hour and the refresh_token for 90 days

On this step, you should check the received state parameter against the one you provided on the previous authorization call. If they does not match, you should stop the process as the request might have been forged by a malicious thirdparty.

Body parameters

The call to POST https://oauth.qonto.com/oauth2/token must contains the following body parameters:

code

string

required

Temporary authorization code received on the redirect_uri.
Keep in mind that this code is only valid for 10 minutes.

client_id

string

required

Unique identifier of your application. The value will be provided by Qonto after you fulfill the initial registration form.

client_secret

string

required

Secret value created by Qonto and sent to you after you fulfill the initial registration form.

redirect_uri

string

required

URL to redirect the user back to your application after he accept the connection of your application with its account.

This value is used here for verification purpose in case you provided multiple redirect_uri.

grant_type

string

required

Type of token you are requesting.

At this step, it must be authorization_code.

Content type must be application/x-www-form-urlencoded

This call must be performed on your backend as you should never expose the client client_secret.

Response

{
  "access_token": "_ACCESS_TOKEN_",
  "expires_in": 3600,
  "id_token": "_TOKEN_",
  "refresh_token": "_REFRESH_TOKEN_",
  "scope": "offline_access organization.read",
  "token_type": "bearer"
}

access_token

string

Token to use in the Authorization header of the API requests.
This token is valid for 1 hour.

expires_in

integer

Access token lifespan in seconds

id_token

string

JSON Web Token that contains information about the user and the session. It can be digitally verified by your application to create a session.

☝️ To receive the ID token, you need to use the openid scope, in the Login endpoint.

refresh_token

string

Token to exchange against a new access_token when it reaches its end of life. This token is valid for 90 days.

☝️ To receive the refresh token, you need to use the offline_access scope, in the Login endpoint.

cf. the Refresh token endpoint documentation for more details on the refresh process.

scope

string

List of scopes granted to your application.

token_typ

string

Type of token you have requested.
It will always be bearer.

{
  "access_token": "_ACCESS_TOKEN_",
  "expires_in": 3600,
  "id_token": "_TOKEN_",
  "refresh_token": "_REFRESH_TOKEN_",
  "scope": "offline_access organization.read",
  "token_type": "bearer"
}

access_token

string

Token to use in the Authorization header of the API requests.
This token is valid for 1 hour.

expires_in

integer

Access token lifespan in seconds

id_token

string

refresh_token

string

scope

string

List of scopes granted to your application.

token_typ

string

Type of token you have requested.
It will always be bearer.

{
  "error": "Unauthorized",
  "error_description": "The access to the resource is unauthorized.",
  "status_code": 401
}

{
  "error": "Internal Server Error",
  "error_description": "Internal Server Error",
  "status_code": 500
}

Qonto APIs

Business API

Onboarding API

Qonto Embed Web SDK

Token endpoint

Body parameters

Response

Qonto APIs

Business API

Onboarding API

Qonto Embed Web SDK

​Body parameters

​Response

Body parameters

Response