/oauth2/token
endpoint to exchange this verification code for an access token and a refresh token.
The access_token
is valid for 1 hour and the refresh_token
for 90 days
On this step, you should check the received state
parameter against the one you provided on the previous authorization call. If they does not match, you should stop the process as the request might have been forged by a malicious thirdparty.
POST https://oauth.qonto.com/oauth2/token
must contains the following body parameters:
redirect_uri
.redirect_uri
.authorization_code
.application/x-www-form-urlencoded
client_secret
.Authorization
header of the API requests.openid
scope, in the Login endpoint.access_token
when it reaches its end of life. This token is valid for 90 days.offline_access
scope, in the Login endpoint.bearer
.