Obtaining tokens
Exchanging authorization code for tokens
Once you receive the authorization code, exchange it for the id_token
,
access_token
and refresh_token
.
Obtain token endpoint
Request
Response format
Successful token exchange returns:
The id_token
is only included if your application requested the
openid
scope.
id_token
The id_token
is a JSON Web Token (JWT) that contains information about the
user who authenticated with Yoco.
It is signed with a public key (JWKS) that can be used to verify the token’s integrity.
The JWKS are available at the following URLs:
The JWT contains several claims; the following are the most relevant:
JWT.io is a useful tool for decoding and verifying JWTs.
access_token
The access_token
is used to authenticate requests to the Yoco API.
This token is a secure credential, and must be stored securely.
refresh_token
The refresh_token
is used to obtain a new access_token
without
requiring the user to re-authenticate.
It is obtained when the offline_access
scope is requested.
This token is a secure credential, and must be stored securely.
At this stage, the OAuth flow is complete!
You now have the necessary tokens to make authenticated requests to the Yoco API.