Skip to main content
POST
/
api
/
v1
/
token
Token
curl --request POST \
  --url https://{host}/api/v1/token \
  --header 'Content-Type: application/json' \
  --data '{}'
{
  "access_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...",
  "token_type": "Bearer",
  "refresh_token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "expires_in": 299
}
Use the https://api.flinks.io/api/v1/token endpoint to receive an access token so that you can start using the Open Banking API.

Token structure

When you use the authorization_code or refresh_token as the grant type, the token will include the following claims: 
{
  "client_id": "dc-7tf8aijpjqofl3uxppi136ldc",
  "sub": "bbc6eb83-60fa-4fb0-a6ea-9e2bd54e1071",
  "exp": 1709147034
}
The sub claim can be used to uniquely identify the user at the Data Provider.

About the refresh_token

When you’re using authorization_code as the grant type, the refresh_token that you receive is controlled by Flinks. It has an idle timeout of 30 days and does not expire. This means that it can be refreshed indefinitely unless it’s revoked. The refresh_token also does not change when exchanged.

Receiving a 400, 401, or 403 response

The data collection lifecycle is not connected to the refresh_token. If you receive a 400, 401, or 403 error when calling this endpoint, it means that either of the tokens that are managed by Flinks have expired.

How to handle an error response

If you receive an error response, refer to the List of Authorization Errors for more information about the error and how to resolve it.

Body

application/json
grant_type
string
required

Specifies the type of information you are passing to request an access token. Possible values include:

  • client_credentials
  • authorization_code
  • refresh_token
code
string

The authorization code that you receive from the callback during the authorization process. Only pass this field if you are using authorization_code as the grant_type.

redirect_uri
string

The URL that you used in the authorization request. Must be an exact match. Only pass this field if you are using authorization_code as the grant_type.

refresh_token
string

The refresh token that you're exchanging for a new access token. Only pass this field if you are using refresh_token as the grant_type.

scope
string

Use for app management, only if you are using client_credentials as the grant_type.

Response

Returned when the token request is successful. The response varies based on the grant_type:

  • refresh_token - Returns access_token, token_type, and expires_in.
  • authorization_code - Returns access_token, token_type, refresh_token, and expires_in.
  • client_credentials - Returns access_token, token_type, and expires_in.
access_token
string

The access token to use for authenticated requests.

token_type
string

The type of token. Value is Bearer.

expires_in
integer
default:0

The number of seconds until the access token expires.

refresh_token
string

The refresh token to use to obtain a new access token. Only returned when using authorization_code as the grant type.

scope
string

The scope of data associated with the token.