OAuth Token

POST

/o/token/

Obtain an OAuth 2.0 access token using the client credentials grant type. This is a public endpoint that does not require an existing access token.

Authentication

This endpoint does not require a Bearer token. Instead, client credentials are provided either via Basic Auth header or in the request body.

Request Body Parameters

Parameter	Type	Required	Description
`grant_type`	string	Yes	Must be `client_credentials`
`client_id`	string	No*	Your OAuth2 client ID (required if not using Basic Auth header)
`client_secret`	string	No*	Your OAuth2 client secret (required if not using Basic Auth header)
`scope`	string	No	Space-separated list of scopes. Options: `read write` or `read write admin`

* Client credentials can be provided either in the request body (client_id and client_secret fields) or via the Authorization: Basic header (Base64-encoded client_id:client_secret).

Example Requests

Using Basic Auth Header

# Create the Base64 encoded credentials
BASE64_CREDENTIAL=$(echo -n "your_client_id:your_client_secret" | base64)

# Request the access token
curl -X POST {{BASE_URL}}/o/token/ \
  -H "Authorization: Basic $BASE64_CREDENTIAL" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&scope=read write"

Using Body Parameters

curl -X POST {{BASE_URL}}/o/token/ \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=your_client_id&client_secret=your_client_secret&scope=read write"

Response

Success Response (200 OK)

{
  "access_token": "d1UUviKpHizUGsGZuboebXS6YgwcAl",
  "token_type": "Bearer",
  "expires_in": 36000,
  "scope": "read write"
}

Response Fields

Parameter	Type	Description
`access_token`	string	The access token to use for authenticating API requests
`token_type`	string	Always `Bearer`
`expires_in`	integer	Token validity period in seconds
`scope`	string	Space-separated list of granted scopes

Using the Access Token

After obtaining an access token, include it in the Authorization header of all API requests:

curl -X GET {{BASE_URL}}/payments/ \
  -H "Authorization: Bearer your_access_token"

Scopes

Scope	Description
`read`	Read access to resources (rates, currencies, payment status, etc.)
`write`	Write access to resources (create payments, withdrawals, configure webhooks, etc.)
`admin`	Administrative access (fee information, platform management)

Error Responses

Status Code	Error Code	Description
400	invalid_request	Missing required parameter or unsupported parameter value
401	invalid_client	Client authentication failed (invalid client_id or client_secret)

Code Examples

Python

import requests

def get_access_token(client_id, client_secret, scope='read write'):
    """Obtain an OAuth2 access token."""

    response = requests.post(
        '{{BASE_URL}}/o/token/',
        data={
            'grant_type': 'client_credentials',
            'client_id': client_id,
            'client_secret': client_secret,
            'scope': scope
        }
    )

    if response.status_code == 200:
        data = response.json()
        return data['access_token']
    else:
        raise Exception(f"Token request failed: {response.status_code}")

# Usage
token = get_access_token('your_client_id', 'your_client_secret')

# For admin access
admin_token = get_access_token('your_client_id', 'your_client_secret', 'read write admin')

Node.js

const axios = require('axios');

async function getAccessToken(clientId, clientSecret, scope = 'read write') {
  const response = await axios.post(
    '{{BASE_URL}}/o/token/',
    new URLSearchParams({
      grant_type: 'client_credentials',
      client_id: clientId,
      client_secret: clientSecret,
      scope: scope
    }),
    {
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
      }
    }
  );

  return response.data.access_token;
}

PHP

<?php
function getAccessToken($clientId, $clientSecret, $scope = 'read write') {
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => "{{BASE_URL}}/o/token/",
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_HTTPHEADER => [
            "Content-Type: application/x-www-form-urlencoded"
        ],
        CURLOPT_POSTFIELDS => http_build_query([
            'grant_type' => 'client_credentials',
            'client_id' => $clientId,
            'client_secret' => $clientSecret,
            'scope' => $scope
        ])
    ]);

    $response = curl_exec($ch);
    curl_close($ch);

    $data = json_decode($response, true);
    return $data['access_token'];
}

$token = getAccessToken('your_client_id', 'your_client_secret');
?>

Security Best Practices

Never hardcode client credentials in your application source code
Store credentials securely using environment variables or a secrets manager
Always use HTTPS for token requests
Request only the scopes your application needs
Implement token caching to avoid unnecessary token requests
Handle token expiration gracefully by requesting a new token before the current one expires