Create or refresh tokens
Creates or refreshes a set of tokens for the authenticated membership.
This set of tokens contains:
- always: an access token (you will need this token to authenticate yourself to any other endpoint);
- if you used the
offline_accessscope when retrieving an authorization code: a refresh token; - if you used the
openidscope when retrieving an authorization code: an ID token.
The access token and the ID token are valid for 1 hour, the refresh token for 90 days. Once the access token has reached its expiration date, you won’t be able to access the Business API with it anymore.
If you create a set of tokens for the first time
If you create a set of tokens for the first time
Use the authorization code you’ve received at the previous step.
If you want to refresh an existing access token
If you want to refresh an existing access token
Use the last refresh token you’ve received.
Always opt for a proactive refresh vs a reactive refresh to avoid reaching the rate limitations, i.e. check if your access token is expired and refresh it if needed before making any API call instead of refreshing it after getting a401 error.Headers
Required only for Sandbox API requests; to get one, please sign up to the Developer Portal.
Body
Unique identifier of your application. Please sign up to the Developer Portal to get one.
"475670cc-e41a-4baa-8eb6-4329af7d1450"
Secret of your application. Please sign up to the Developer Portal to get one.
"this-is-my-amazing-secret"
Type of token you are providing to generate your access token.
- If you are creating your first set of tokens:
authorization_code - If you are refreshing an existing access token:
refresh_token
"authorization_code"
URI to which the Qonto user will be redirected back after they have accepted the connection of your application with their account.
This value is used here for verification purpose in case you provided multiple redirect_uri.
Use this parameter when creating your first set of tokens.
"https://my-company-server.com"
Temporary authorization code received on the redirect_uri.
Keep in mind that this code is only valid for 10 minutes.
Use this parameter to create your first set of tokens.
"ory_ac_lY8t9YfHv3N2tLEKFfgL5_XADs2sbcxVGcYPbneMAAo.w-9CyjAz0DB-_3q2s5ZpYk-oFEUCBcMTU_s5iy07CA0"
Last refresh token. Use this parameter to refresh an existing access token.
Please note that your refresh token remains valid within a grace period of 60 seconds after its first usage, allowing multiple usages without immediate invalidation. When the grace period ends, the refresh token will be invalidated. This can be beneficial in scenarios where network issues or delayed token exchanges may otherwise disrupt session continuity.
"ory_rt_7kRxfEQzaBuL9RRSusC_vKRUNmtr1jdUC_i2NORdmZU.Ze-WLB5gZa7UIbhHSgv3KCpqvJHMZHUn6hgc1XOGoRU"
Response
Returns the set of tokens created. If you are receiving an HTML response, please make sure you've included the X-Qonto-Staging-Token header in your request.
Bearer token to use in the Authorization header of your API requests. This token is valid for 1 hour.
"ory_at_2-ocNFHnqdPjEOs9FdHMf6jKO4VNTVvLp3zChWVItoY.CaKVRy-plm-pr2mKk22Nt3ThgVjHmfkrolgTmMapvCI"
Access token lifespan in seconds.
3600
List of scopes granted to your application.
"offline_access organization.read"
Type of token you have requested. It will always be bearer.
"bearer"
Token to exchange against a new access_token when it reaches its end of life.
This token is valid for 90 days.
☝️ To receive the refresh token, you need to use the offline_access scope when retrieving an authorization code.
"ory_rt_7kRxfEQzaBuL9RRSusC_vKRUNmtr1jdUC_i2NORdmZU.Ze-WLB5gZa7UIbhHSgv3KCpqvJHMZHUn6hgc1XOGoRU"
JSON Web Token that contains information about the user and the session. It can be digitally verified by your application to create a session. This token is valid for 1 hour.
☝️ To receive the ID token, you need to use the openid scope when retrieving an authorization code.
"eyJhbGciOiJSUzI1NiIsImtpZCI6InByaXZhdGU6NzY4ZTk0OTYtMmJlOS00OTg4LTllNzUtZTU2NTEwODI5YzhjIiwidHlwIjoiSldUIn0.eyJhdF9oYXNoIjoiYVJUdFZBbndFX0RDblhSa1hhMnhxQSIsImF1ZCI6WyJsb2NhbGhvc3QtdGVzdC1jbGllbnQtYXBwIl0sImF1dGhfdGltZSI6MTc2MDAyMDQzMSwiZW1haWwiOiJvd25lckBxb250by5ldSIsImV4cCI6MTc2MDAyNDA4MywiaWF0IjoxNzYwMDIwNDgzLCJpc3MiOiJodHRwczovL29hdXRoLXNhbmRib3guc3RhZ2luZy5xb250by5jbyIsImp0aSI6IjBlYjQ3YjczLTI1NzgtNDQ3NC05MjNhLWQ3ZmQ4NTQ1NzJiYyIsInJhdCI6MTc2MDAyMDM1Mywic2lkIjoiZmYxYTY0MjgtOTdkZi00Yzc4LWJjOTgtM2JjMjVlNjM1MmQwIiwic3ViIjoiMDE5NjVkYzQtZmMxZi03ODc0LTgzYjQtYjU1MjhiZWEwYThkIn0.N2M3LiDbNvA115Foed1YVJ8mqr_mq_8-gmAJ6FkhWyx45gpUpeKji4U0lWbh3sYN1cd90aSwhZnrxxTxVsJAo6pvbWkw0ghzMasmltqAbxttPW-GgfieUh1ipbgE7ekmNPT6Op_qAU_E5OhZDKd01HC07on5FdVkdHeZGSN0ahZ4MezlmYA85Ig_qDM-7hW0DQhlATRuYpatl5hIE_7oiGsTrcsUgNYxoIILOCSP_FhHGJRtKah1wVqRhPu5fQG277mOTugI463yMDzAJMRgptEfpA02whnB6tycXKNfRDdFbYS1jxKzwSFTX3QAmhDWWJl4fgyAYe3ur_pD9jqlb9hpZwXFThJzfxyvKkPwiZjaVmWZi1dAhAzE2jZH6ktwimVbDjI3uWiOwz10AsYoTpZXf17jJRrR7bzj_ayYlh1G3JfIEPgiK4QkekWcV9uerWS_9ziyPqVOZw-sBEGZC19JcvMW1pzlK9az9aTKekBmzmCdXw9ankc_-1rfd9rB2oco_-_Vh9hKk5jHExHk0GZ1C48C-UZd7iB0VpQC7R_93gvHk3crIvyPqcZQl7PPBoqYK9thuliLpCkPhJ_nYX-2RDUfeI6wHL26hklCU3t-N-SAecZ34WBkk9S30cvY333HPZi1lNxEptc0obmjCMCYcSg0Sr_Ctk9Z8nXrMEU"