This endpoint should retrieve the code parameter send in the URL params.

Once this is done your are ready to call the /oauth2/token endpoint to exchange this verification code for an access token and a refresh token.

The access_token is valid for 1 hour and the refresh_token for 90 days

On this step, you should check the received state parameter against the one you provided on the previous authorization call. If they does not match, you should stop the process as the request might have been forged by a malicious thirdparty.

Body parameters

The call to POST https://oauth.qonto.com/oauth2/token must contains the following body parameters:

code
string
required

Temporary authorization code received on the redirect_uri.
Keep in mind that this code is only valid for 10 minutes.

client_id
string
required

Unique identifier of your application. The value will be provided by Qonto after you fulfill the initial registration form.

client_secret
string
required

Secret value created by Qonto and sent to you after you fulfill the initial registration form.

redirect_uri
string
required

URL to redirect the user back to your application after he accept the connection of your application with its account.

This value is used here for verification purpose in case you provided multiple redirect_uri.

grant_type
string
required

Type of token you are requesting.

At this step, it must be authorization_code.

Content type must be application/x-www-form-urlencoded

This call must be performed on your backend as you should never expose the client client_secret.

Response

{
  "access_token": "_ACCESS_TOKEN_",
  "expires_in": 3600,
  "id_token": "_TOKEN_",
  "refresh_token": "_REFRESH_TOKEN_",
  "scope": "offline_access organization.read",
  "token_type": "bearer"
}
access_token
string

Token to use in the Authorization header of the API requests.
This token is valid for 1 hour.

expires_in
integer

Access token lifespan in seconds

id_token
string

JSON Web Token that contains information about the user and the session. It can be digitally verified by your application to create a session.

☝️ To receive the ID token, you need to use the openid scope, in the Login endpoint.

refresh_token
string

Token to exchange against a new access_token when it reaches its end of life. This token is valid for 90 days.

☝️ To receive the refresh token, you need to use the offline_access scope, in the Login endpoint.

cf. the Refresh token endpoint documentation for more details on the refresh process.

scope
string

List of scopes granted to your application.

token_typ
string

Type of token you have requested.
It will always be bearer.