Token endpoint
This endpoint should retrieve the code parameter send in the URL params.
Once this is done your are ready to call the /oauth2/token
endpoint to exchange this verification code for an access token and a refresh token.
The access_token
is valid for 1 hour and the refresh_token
for 90 days
On this step, you should check the received state
parameter against the one you provided on the previous authorization call. If they does not match, you should stop the process as the request might have been forged by a malicious thirdparty.
Body parameters
The call to POST https://oauth.qonto.com/oauth2/token
must contains the following body parameters:
Temporary authorization code received on the redirect_uri
.
Keep in mind that this code is only valid for 10 minutes.
Unique identifier of your application. The value will be provided by Qonto after you fulfill the initial registration form.
Secret value created by Qonto and sent to you after you fulfill the initial registration form.
URL to redirect the user back to your application after he accept the connection of your application with its account.
This value is used here for verification purpose in case you provided multiple redirect_uri
.
Type of token you are requesting.
At this step, it must be authorization_code
.
Content type must be application/x-www-form-urlencoded
client_secret
.Response
Token to use in the Authorization
header of the API requests.
This token is valid for 1 hour.
Access token lifespan in seconds
JSON Web Token that contains information about the user and the session. It can be digitally verified by your application to create a session.
☝️ To receive the ID token, you need to use the openid
scope, in the Login endpoint.
Token to exchange against a new access_token
when it reaches its end of life. This token is valid for 90 days.
☝️ To receive the refresh token, you need to use the offline_access
scope, in the Login endpoint.
cf. the Refresh token endpoint documentation for more details on the refresh process.
List of scopes granted to your application.
Type of token you have requested.
It will always be bearer
.
Token to use in the Authorization
header of the API requests.
This token is valid for 1 hour.
Access token lifespan in seconds
JSON Web Token that contains information about the user and the session. It can be digitally verified by your application to create a session.
☝️ To receive the ID token, you need to use the openid
scope, in the Login endpoint.
Token to exchange against a new access_token
when it reaches its end of life. This token is valid for 90 days.
☝️ To receive the refresh token, you need to use the offline_access
scope, in the Login endpoint.
cf. the Refresh token endpoint documentation for more details on the refresh process.
List of scopes granted to your application.
Type of token you have requested.
It will always be bearer
.