# POST /v1/oauth2/token

Archived documentation

This documentation refers to V1.6. See Release Notes for more information.

# Overview

This endpoint creates an access token to be given to the requesting TPP by the FI.

https://sandbox.konsentus.com/v1/oauth2/token

# Request Properties

# Headers

Authorization REQUIRED
string
Basic Auth Header
fi_reference_id REQUIRED
string
A string representing the FI authenticating with the system

Authentication Headers

x-eidas REQUIRED
string
Base64 encoded eIDAS certificate

eIDAS Certificate Headers

Content-Type REQUIRED
string
Must be set to: application/json

# Body Parameters

client_request_query_parameters REQUIRED
object
The request object from the TPP - forwarded by the FI.
grant_type REQUIRED
string
Describes the flow of OAuth2.0. Can be set to authorization_code or client_credentials. If set to client_credentials none of the other fields are required.
code REQUIRED
string
The one-time use authorization code generated by Konsentus, that has a life time of 60 seconds. The authorization code is bound to the TPP and redirection URI.
redirect_uri REQUIRED
string
The redirect URI registered by the TPP with the CA.
tpp_id REQUIRED
string
A client identifier for the TPP matching the unique identifier they are registered with on the CA.

# Request Body Example

{
  "account_id": "12345678",
  "client_request_query_parameters": {
    "grant_type": "authorization_code",
    "code": "48968085-dfab-4672-a578-1ab88b77b57d",
    "redirect_uri": "https://www.google.com",
    "tpp_id": "PSDGB-FCA-kt-484347"
  }
}

# Response Properties

data object
response data
access_token string
The access token generated by Konsentus. The authorization code is bound to the client identifier and redirection URI. If grant_type in the request was set to client_credentials then the token in the response will be hardcoded to good-access-token.
expires_in integer
If the access token expires, the server replies with the duration of time the access token is granted for.
token_type string
The type of token, typically just the string 'bearer’.
scope string
If the scope the user granted is identical to the scope the app requested, this parameter is optional. If the granted scope is different from the requested scope, such as if the user modified the scope, then this parameter is required.
psd2_role string
A JSON array containing a list of psd2 roles associated with this token and TPP.
error object

        See error documentation for fields and descriptions

# Responses

# 201

Request received and access token created.

{
  "data": {
    "access_token": string,
    "expires_in": integer,
    "token_type": string,
    "scope": string,
    "psd2_role": [string]
  }
}

# 400

Request received missing parameters or malformed.

{
  "errors": [{
    "id": string,
    "code": string,
    "title": string,
    "link": string
  }]
}

# 401

Unable to Authorize.

{
  "errors": [{
    "id": string,
    "code": string,
    "title": string,
    "link": string
  }]
}

# 403

Forbidden.

{
  "errors": [{
    "id": string,
    "code": string,
    "title": string,
    "link": string
  }]
}

# Response Example

# 201 CREATED

# Success

{
  "data": {
    "access_token": "8c9378f8-e27f-4e0a-a643-d73585d1249f",
    "expires_in": 31104000,
    "token_type": "bearer",
    "scope": "pay",
    "psd2_role": ["PSP_PI"]
  }
}
Last Updated: 8/9/2019, 3:47:34 PM