If you are initiating the OAuth flow on the Sandbox environment (https://oauth-sandbox.staging.qonto.co), please make sure to be logged in on the Sandbox web-app first through your Developer Portal account.
Your app should include a “Connect with Qonto” link that will point the user to our OAuth authentication endpoint: https://oauth.qonto.com/oauth2/auth. The client will be redirected to qonto.com and will have to enter its login and password. Once logged in we will redirect back the user to the redirect_uri you provided us in the register form. https://oauth.qonto.com/oauth2/auth?client_id=<Client ID>&redirect_uri=<Redirect URL>&scope=<Scope>&response_type=code&state=123456789 Example: 
https://oauth.qonto.com/oauth2/auth? \
  client_id=my-company-name-v1& \
  redirect_uri=https%3A%2F%2Fmy-company-server.com%2F& \
  response_type=code& \
  scope=organization.read%20offline_access%20attachment.write%20internal_transfer.write& \
  state=123456789

Query parameters

The call to GET https://oauth.qonto.com/oauth2/auth must contain the following query parameters:
client_id
string
required
Unique identifier of your application. The value will be provided by Qonto after you fulfill the initial registration form.
redirect_uri
string
required
URL to redirect the user back to your application after he accept the connection of your application with his account.
☝️ redirect_uri needs to be encoded through this tool.
response_type
string
required
Type of authentication flow. Only code is supported.
scope
string
required
It represents the list of permission that your application is requesting on the user account. It can be a single scope or a list of scopes together. In the latter case, the scopes must be written as a space separated list of values.

Examples:
- Single scope : offline_access
- Multiple scopes: offline_access organization.read payment.write

Use the offline_access scope if you require a refresh token.

Please refer to the API Reference section of this documentation to find which specific scopes are required for the actions you would like to perform. You will find the list of the available scopes here.
state
string
required
It is a security parameters to protect against forgery attacks.

You need to pass a value that is unique to the user authenticating.
At the end of the authentication process, you should compare the received state with the one you provided to make sure they are equals.
organization_id
string
If you want to restrict the user to connect to a specific organization, you can pass the organization_id here. If this parameter is present, then the user won’t be asked to select an organization during the oauth flow.
registration_id
string
Starts the oauth flow with a pre-selected organization, linked to the registration_id obtained during the onboarding flow. If this parameter is provided, then the user won’t be asked to select an organization during the oauth flow.

Response

Successfull response. The user is redirected to https://app.qonto.com/signin.