Authorization header. How you get that token depends on whose account you’re operating on.
Two paths, one API
Your own account
API key → Your tokenYour server exchanges its application API key for a token scoped to your Fluz account.A customer's account
OAuth grant → Their tokenA customer authorizes your app, and Fluz returns a token scoped to their account.createVirtualCard on your token creates a card on your wallet; createVirtualCard on a customer token creates it on theirs.
Path 1 — your own account
- In the dashboard, create an application and copy its
clientIdandclientSecret. - From your backend, call
generateUserAccessTokenonhttps://oauth-service.fluzapp.com/graphqlwith yourclientId,clientSecret, and the scopes you need. - Attach the returned
accessTokenasAuthorization: Bearer <token>on every request to the transactional graph.
Path 2 — a customer’s account
Use this when you’re building a platform — e.g. issuing cards on behalf of your users.- Redirect the customer to Fluz’s OAuth authorize URL with your
clientId, requested scopes, andredirect_uri. - The customer signs in and grants your scopes.
- Fluz redirects back with a short-lived authorization
code. - Your server exchanges the code for a customer-scoped access token by calling
generateUserAccessTokenwith the code and your application credentials. - Refresh customer-scoped tokens before they expire without re-prompting the customer.
Scopes
Tokens carry an explicit set of scopes. Common ones by capability:
Request the minimum you need. Every scope also has a
REQUEST_* variant used with the approvals flow — see Approvals & Requests. Mint a new token when you need broader access.
Token lifetime
- Access tokens: short-lived. Refresh before
expiresInelapses. - OAuth customer tokens: refreshable via the OAuth service.
- Application
clientSecret: valid until rotated in the dashboard.
Next steps
Get your API credentials
Path 1 in practice — mint a token for your own account and make a call.
Build a platform
Path 2 in practice — connect customer accounts with the OAuth grant flow.