Exchanging an OAuth authorization code

Exchanging an auth code for an Access Token

You can take the code received as the response to a permissions request and make a request to exchange for an Access Token and Refresh Token.

To excxhange your authorization code for an access token, make a request to https://fluz.app/token/exchange with the following query params:

query paramdescription
codeThe auth token above
redirect_urithe redirect_uri you used in the previous auth step. This uri must match exactly.

Additionally, set an Authorization header that is a base64 encoded string that is a combination of your client_id:app_secret. This is a Basic auth header, and so should follow the following format: Authorization: Basic <base64 encoded CLIENT_ID:APP_SECRET>

For example, if your client_id is abc123 and your app_secret from the OAuth widget configuration is def456, the base64 encoded value would be YWJjMTIzOmRlZjQ1Ng==.

Here is an example cURL command:

curl -X GET "http://fluz.app/token/exchange?code=<the auth code>&redirect_uri=<the redirect_uri you used in the auth step>" -H "Authorization: Basic YWJjMTIzOmRlZjQ1Ng"

The response will include:

query paramdescription
accessTokenShort-lived token for subsequent requests into Fluz‘s backend services
refreshTokenrefresh token to store and use when the accessToken becomes expired
scopesthe values the user permitted through the previous flow

Here is an example of a full response:

{"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTc1MjA5NDgwNH0.0dKCtVpN0mTHHMuGNNx4VLJisTnovFNPQKhSw6zWosc","authorizationCode":"f082972eb110b80f73b0d0f95d1de9266069a1e4","accessTokenExpiresAt":"2025-07-08T21:05:30.673Z","refreshToken":"8ec16c25951616150b0332a4a6d66547","refreshTokenExpiresAt":"2025-08-08T20:55:30.738Z","scope":\["MAKE\_WIDTHDRAW","MAKE\_DEPOSIT","LIST\_PAYMENT"],"client":\{"id":"dab5c80e-0321-4c3a-988a-ffedfd64d8db","app\_id":"0a92d46e-edf4-422e-8c62-946051e5067b","app\_name":"First OAuth integration","grants":\["authorization\_code","client\_credentials","password","refresh\_token"],"redirectUris":\["http\://localhost:3035/oauth/finalize"],"accessTokenLifetime":600},"user":\{"id":"5070d5a1-d71a-4190-91b0-f116eec51771"}}