> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qonto.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Create or refresh tokens
> This call must be performed on your backend as you should never expose your client secret.
Creates or refreshes a set of tokens for the authenticated membership.
This set of tokens contains:
- always: an access token (you will need this token to authenticate yourself to any other endpoint);
- if you used the `offline_access` scope when [retrieving an authorization code](/api-reference/business-api/authentication/oauth2/retrieve_authorization): a refresh token;
- if you used the `openid` scope when [retrieving an authorization code](/api-reference/business-api/authentication/oauth2/retrieve_authorization): an ID token.
The access token and the ID token are valid for **1 hour**, the refresh token for **90 days**. Once the access token has reached its expiration date, you won’t be able to access the Business API with it anymore.
Use the authorization `code` you've received at [the previous step](/api-reference/business-api/authentication/oauth2/retrieve_authorization).
Use the last refresh token you've received.
Don’t forget to store your new refresh token as the previous one will be invalidated 👉 you will need it for the next refresh.
Always opt for a **proactive** refresh vs a reactive refresh to avoid reaching the [rate limitations](/get-started/general/rate-limitations), i.e. check if your access token is expired and refresh it if needed before making any API call instead of refreshing it after getting a `401` error.
## OpenAPI
````yaml post /oauth2/token
openapi: 3.1.1
info:
version: v2
title: Qonto
servers:
- url: https://thirdparty.qonto.com
description: Production URL
- url: https://thirdparty-sandbox.staging.qonto.co
description: Sandbox URL
security:
- OAuth:
- organization.read
- membership.read
- membership.write
- attachment.write
- internal_transfer.write
- payment.write
- supplier_invoice.write
- supplier_invoice.read
- client_invoices.read
- client_invoice.write
- client.read
- client.write
- product.read
- product.write
- request_review.write
- request_review.read
- team.read
- team.write
- request_transfers.write
- insurance_contract.read
- insurance_contract.write
- card.read
- card.write
- bank_account.write
- beneficiary.trust
- webhook
- payment_link.write
- payment_link.read
- sepa_direct_debit.read
- sepa_direct_debit.write
- terminal.read
- terminal.write
- SecretKey: []
paths:
/oauth2/token:
servers:
- url: https://oauth.qonto.com
description: Production URL
- url: https://oauth-sandbox.staging.qonto.co
description: Sandbox URL
parameters:
- $ref: '#/components/parameters/X-Qonto-Staging-Token'
post:
tags:
- OAuth 2.0
summary: Create or refresh tokens
description: >-
This call must be performed on your backend as you should never
expose your client secret.
Creates or refreshes a set of tokens for the authenticated membership.
This set of tokens contains:
- always: an access token (you will need this token to authenticate yourself to any other endpoint);
- if you used the `offline_access` scope when [retrieving an authorization code](/api-reference/business-api/authentication/oauth2/retrieve_authorization): a refresh token;
- if you used the `openid` scope when [retrieving an authorization code](/api-reference/business-api/authentication/oauth2/retrieve_authorization): an ID token.
The access token and the ID token are valid for **1 hour**, the refresh
token for **90 days**. Once the access token has reached its expiration
date, you won’t be able to access the Business API with it anymore.
Use the authorization `code` you've received at [the previous step](/api-reference/business-api/authentication/oauth2/retrieve_authorization).
Use the last refresh token you've received.
Don’t forget to store your new refresh token as the previous one will be invalidated 👉 you will need it for the next refresh.
Always opt for a **proactive** refresh vs a reactive refresh to avoid reaching the [rate limitations](/get-started/general/rate-limitations), i.e. check if your access token is expired and refresh it if needed before making any API call instead of refreshing it after getting a `401` error.
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
client_id:
type: string
description: >-
Unique identifier of your application. Please sign up to the
[Developer Portal](https://developers.qonto.com/sign-up/) to
get one.
example: 475670cc-e41a-4baa-8eb6-4329af7d1450
client_secret:
type: string
example: this-is-my-amazing-secret
description: >-
Secret of your application. Please sign up to the [Developer
Portal](https://developers.qonto.com/sign-up/) to get one.
grant_type:
type: string
description: >-
Type of token you are providing to generate your access
token.
- If you are creating your first set of tokens:
`authorization_code`
- If you are refreshing an existing access token:
`refresh_token`
example: authorization_code
redirect_uri:
type: string
description: >-
URI to which the Qonto user will be redirected back after
they have accepted the connection of your application with
their account.
This value is used here for verification purpose in case you
provided multiple `redirect_uri`.
Use this parameter when creating your first set of tokens.
example: https://my-company-server.com
code:
type: string
description: >-
Temporary authorization code received on the `redirect_uri`.
Keep in mind that this code is only valid for **10
minutes**.
Use this parameter to create your first set of tokens.
example: >-
ory_ac_lY8t9YfHv3N2tLEKFfgL5_XADs2sbcxVGcYPbneMAAo.w-9CyjAz0DB-_3q2s5ZpYk-oFEUCBcMTU_s5iy07CA0
refresh_token:
type: string
description: >-
Last refresh token. Use this parameter to refresh an
existing access token.
Please note that your refresh token remains valid within a
grace period of **60 seconds after its first usage**,
allowing multiple usages without immediate invalidation.
When the grace period ends, the refresh token will be
invalidated. This can be beneficial in scenarios where
network issues or delayed token exchanges may otherwise
disrupt session continuity.
example: >-
ory_rt_7kRxfEQzaBuL9RRSusC_vKRUNmtr1jdUC_i2NORdmZU.Ze-WLB5gZa7UIbhHSgv3KCpqvJHMZHUn6hgc1XOGoRU
required:
- client_id
- client_secret
- grant_type
responses:
'200':
description: >-
Returns the set of tokens created. If you are receiving an HTML
response, please make sure you've included the
`X-Qonto-Staging-Token` header in your request.
content:
application/json:
schema:
type: object
properties:
access_token:
type: string
example: >-
ory_at_2-ocNFHnqdPjEOs9FdHMf6jKO4VNTVvLp3zChWVItoY.CaKVRy-plm-pr2mKk22Nt3ThgVjHmfkrolgTmMapvCI
description: >-
Bearer token to use in the Authorization header of your
API requests.
This token is valid for **1 hour**.
expires_in:
type: integer
example: 3600
description: Access token lifespan in seconds.
refresh_token:
type: string
example: >-
ory_rt_7kRxfEQzaBuL9RRSusC_vKRUNmtr1jdUC_i2NORdmZU.Ze-WLB5gZa7UIbhHSgv3KCpqvJHMZHUn6hgc1XOGoRU
description: >-
Token to exchange against a new `access_token` when it
reaches its end of life.
This token is valid for **90 days**.
☝️ To receive the refresh token, you need to use the
`offline_access` scope when [retrieving an authorization
code](/api-reference/business-api/authentication/oauth2/retrieve_authorization).
id_token:
type: string
example: >-
eyJhbGciOiJSUzI1NiIsImtpZCI6InByaXZhdGU6NzY4ZTk0OTYtMmJlOS00OTg4LTllNzUtZTU2NTEwODI5YzhjIiwidHlwIjoiSldUIn0.eyJhdF9oYXNoIjoiYVJUdFZBbndFX0RDblhSa1hhMnhxQSIsImF1ZCI6WyJsb2NhbGhvc3QtdGVzdC1jbGllbnQtYXBwIl0sImF1dGhfdGltZSI6MTc2MDAyMDQzMSwiZW1haWwiOiJvd25lckBxb250by5ldSIsImV4cCI6MTc2MDAyNDA4MywiaWF0IjoxNzYwMDIwNDgzLCJpc3MiOiJodHRwczovL29hdXRoLXNhbmRib3guc3RhZ2luZy5xb250by5jbyIsImp0aSI6IjBlYjQ3YjczLTI1NzgtNDQ3NC05MjNhLWQ3ZmQ4NTQ1NzJiYyIsInJhdCI6MTc2MDAyMDM1Mywic2lkIjoiZmYxYTY0MjgtOTdkZi00Yzc4LWJjOTgtM2JjMjVlNjM1MmQwIiwic3ViIjoiMDE5NjVkYzQtZmMxZi03ODc0LTgzYjQtYjU1MjhiZWEwYThkIn0.N2M3LiDbNvA115Foed1YVJ8mqr_mq_8-gmAJ6FkhWyx45gpUpeKji4U0lWbh3sYN1cd90aSwhZnrxxTxVsJAo6pvbWkw0ghzMasmltqAbxttPW-GgfieUh1ipbgE7ekmNPT6Op_qAU_E5OhZDKd01HC07on5FdVkdHeZGSN0ahZ4MezlmYA85Ig_qDM-7hW0DQhlATRuYpatl5hIE_7oiGsTrcsUgNYxoIILOCSP_FhHGJRtKah1wVqRhPu5fQG277mOTugI463yMDzAJMRgptEfpA02whnB6tycXKNfRDdFbYS1jxKzwSFTX3QAmhDWWJl4fgyAYe3ur_pD9jqlb9hpZwXFThJzfxyvKkPwiZjaVmWZi1dAhAzE2jZH6ktwimVbDjI3uWiOwz10AsYoTpZXf17jJRrR7bzj_ayYlh1G3JfIEPgiK4QkekWcV9uerWS_9ziyPqVOZw-sBEGZC19JcvMW1pzlK9az9aTKekBmzmCdXw9ankc_-1rfd9rB2oco_-_Vh9hKk5jHExHk0GZ1C48C-UZd7iB0VpQC7R_93gvHk3crIvyPqcZQl7PPBoqYK9thuliLpCkPhJ_nYX-2RDUfeI6wHL26hklCU3t-N-SAecZ34WBkk9S30cvY333HPZi1lNxEptc0obmjCMCYcSg0Sr_Ctk9Z8nXrMEU
description: >-
JSON Web Token that contains information about the user
and the session. It can be digitally verified by your
application to create a session.
This token is valid for **1 hour**.
☝️ To receive the ID token, you need to use the `openid`
scope when [retrieving an authorization
code](/api-reference/business-api/authentication/oauth2/retrieve_authorization).
scope:
type: string
example: offline_access organization.read
description: List of scopes granted to your application.
token_type:
type: string
example: bearer
description: >-
Type of token you have requested. It will always be
bearer.
required:
- access_token
- expires_in
- scope
- token_type
'400':
description: Returns a bad request error.
content:
application/json:
schema:
type: object
properties:
error:
type: string
example: invalid_grant
error_description:
type: string
example: >-
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client. The authorization code has already been
used.
required:
- error
- error_description
'401':
description: Returns an unauthorized error.
content:
application/json:
schema:
type: object
properties:
error:
type: string
example: invalid_client
error_description:
type: string
example: >-
Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
authentication method).
required:
- error
- error_description
'500':
description: Returns an internal server.
content:
application/json:
schema:
type: object
properties:
error:
type: string
example: internal_server_error
error_description:
type: string
example: Internal Server Error
required:
- error
- error_description
security:
- {}
components:
parameters:
X-Qonto-Staging-Token:
name: X-Qonto-Staging-Token
in: header
description: >-
Required only for Sandbox API requests; to get one, please sign up to
the [Developer Portal](https://developers.qonto.com/).
schema:
type: string
securitySchemes:
OAuth:
type: oauth2
description: >
Bearer authorization header: `Bearer `, where `` is the
access token received from the authorization server at the end of the
[OAuth 2.0
flow](/get-started/business-api/authentication/oauth/oauth-flow).
flows:
authorizationCode:
refreshUrl: https://oauth.qonto.com/oauth2/token
authorizationUrl: https://oauth.qonto.com/oauth2/auth
scopes:
attachment.read: Retrieve attachments
attachment.write: Upload attachments and remove attachments from transactions
bank_account.write: Create, update and close bank accounts
beneficiary.trust: Trust SEPA beneficiaries
card.read: Retrieve cards
card.write: Create or update cards
client.read: Retrieve clients
client.write: Create clients
client_invoice.write: Create client invoices
client_invoices.read: Retrieve client invoices and credit notes
einvoicing.read: Retrieve e-invoicing settings
embed_auth_link.write: Create Embed auth links
insurance_contract.read: Retrieve insurance contracts
insurance_contract.write: Create and update insurance contracts
internal_transfer.write: >-
Create internal transfers (between 2 Qonto accounts of the same
organization)
international_transfer.write: Create international transfers
membership.read: Retrieve the authentified membership
membership.write: Invite team members
offline_access: Retrieve a refresh token
organization.read: >-
Retrieve organization, bank accounts, transactions, transfers,
beneficiaries, labels, memberships, requests & statements
payment.write: Create external transfers and untrust beneficiaries
payment_link.read: >-
Retrieve payment links, their payments, and the available payment
methods
payment_link.write: >-
Connect to the payment links provider, create and deactivate
payment links
product.read: Retrieve products
product.write: Create products
request_cards.write: Create card requests
request_review.write: Approve or decline requests
request_transfers.write: Create transfer requests
sepa_direct_debit.read: View SEPA Direct Debit payments
sepa_direct_debit.write: Manage SEPA Direct Debit payments
supplier_invoice.read: Retrieve supplier invoices
supplier_invoice.write: Create supplier invoices
team.read: Retrieve teams
team.write: Create teams
terminal.read: View your payment terminals
terminal.write: Configure your terminals and initiate payments
webhook: >-
Receive a notification each time a particular event occurs in
Qonto
tokenUrl: https://oauth.qonto.com/oauth2/token
SecretKey:
type: apiKey
description: cf. [API key](/get-started/business-api/authentication/api-key)
name: Authorization
in: header
````