Obtaining tokens

Exchanging authorization code for tokens

Once you receive the authorization code, exchange it for the id_token, access_token and refresh_token.

Obtain token endpoint

Request

1
POST /oauth2/token
2
Content-Type: application/x-www-form-urlencoded
3
4
grant_type=authorization_code
5
&code=AUTHORIZATION_CODE
6
&client_id=YOUR_CLIENT_ID
7
&client_secret=YOUR_CLIENT_SECRET
8
&redirect_uri=YOUR_REDIRECT_URI

Response format

Successful token exchange returns:

1
{
2
  "access_token": "<ACCESS_TOKEN>",
3
  "expires_in": 1209599,
4
  "id_token": "<ID_TOKEN>",
5
  "refresh_token": "<REFRESH_TOKEN>",
6
  "scope": "offline_access openid business/orders:read",
7
  "token_type": "bearer"
8
}

id_token

The id_token is a JSON Web Token (JWT) that contains information about the user who authenticated with Yoco.

It is signed with a public key (JWKS) that can be used to verify the token’s integrity.

The JWKS are available at the following URLs:

The JWT contains several claims; the following are the most relevant:

access_token

The access_token is used to authenticate requests to the Yoco API.

This token is a secure credential, and must be stored securely.

refresh_token

The refresh_token is used to obtain a new access_token without requiring the user to re-authenticate.

It is obtained when the offline_access scope is requested.

This token is a secure credential, and must be stored securely.

Related documentation

• Refreshing access tokens
• Obtaining authenticated user information