Skip to main content
Every Fluz API request carries a user access token in the Authorization header. How you get that token depends on whose account you’re operating on.

Two paths, one API

Your own account

API keyYour tokenYour server exchanges its application API key for a token scoped to your Fluz account.

A customer's account

OAuth grantTheir tokenA customer authorizes your app, and Fluz returns a token scoped to their account.
Once you hold a token, the rest of the API is identical. createVirtualCard on your token creates a card on your wallet; createVirtualCard on a customer token creates it on theirs.

Path 1 — your own account

  1. In the dashboard, create an application and copy its clientId and clientSecret.
  2. From your backend, call generateUserAccessToken on https://oauth-service.fluzapp.com/graphql with your clientId, clientSecret, and the scopes you need.
  3. Attach the returned accessToken as Authorization: Bearer <token> on every request to the transactional graph.
See API credentials for a full example.

Path 2 — a customer’s account

Use this when you’re building a platform — e.g. issuing cards on behalf of your users.
  1. Redirect the customer to Fluz’s OAuth authorize URL with your clientId, requested scopes, and redirect_uri.
  2. The customer signs in and grants your scopes.
  3. Fluz redirects back with a short-lived authorization code.
  4. Your server exchanges the code for a customer-scoped access token by calling generateUserAccessToken with the code and your application credentials.
  5. Refresh customer-scoped tokens before they expire without re-prompting the customer.
Full walkthrough in Build a platform.

Scopes

Tokens carry an explicit set of scopes. Common ones by capability: Request the minimum you need. Every scope also has a REQUEST_* variant used with the approvals flow — see Approvals & Requests. Mint a new token when you need broader access.

Token lifetime

  • Access tokens: short-lived. Refresh before expiresIn elapses.
  • OAuth customer tokens: refreshable via the OAuth service.
  • Application clientSecret: valid until rotated in the dashboard.
Never ship a clientSecret to a browser or mobile client. It mints tokens for your account; leaking one is equivalent to leaking your credentials.

Next steps

Get your API credentials

Path 1 in practice — mint a token for your own account and make a call.

Build a platform

Path 2 in practice — connect customer accounts with the OAuth grant flow.