Exchanging an OAuth authorization code
Exchanging an auth code for an Access Token
You can take the code received as the response to a permissions request and make a request to exchange for an Access Token and Refresh Token.
To excxhange your authorization code
for an access token, make a request to https://fluz.app/token/exchange
with the following query params:
query param | description |
---|---|
code | The auth token above |
redirect_uri | the redirect_uri you used in the previous auth step. This uri must match exactly. |
Additionally, set an Authorization header that is a base64 encoded string that is a combination of your client_id:app_secret. This is a Basic auth header, and so should follow the following format: Authorization: Basic <base64 encoded CLIENT_ID:APP_SECRET>
For example, if your client_id
is abc123
and your app_secret
from the OAuth widget configuration is def456
, the base64 encoded value would be YWJjMTIzOmRlZjQ1Ng==
.
Here is an example cURL command:
curl -X GET "http://fluz.app/token/exchange?code=<the auth code>&redirect_uri=<the redirect_uri you used in the auth step>" -H "Authorization: Basic YWJjMTIzOmRlZjQ1Ng"
The response will include:
query param | description |
---|---|
accessToken | Short-lived token for subsequent requests into Fluz‘s backend services |
refreshToken | refresh token to store and use when the accessToken becomes expired |
scopes | the values the user permitted through the previous flow |
Here is an example of a full response:
{"accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTc1MjA5NDgwNH0.0dKCtVpN0mTHHMuGNNx4VLJisTnovFNPQKhSw6zWosc","authorizationCode":"f082972eb110b80f73b0d0f95d1de9266069a1e4","accessTokenExpiresAt":"2025-07-08T21:05:30.673Z","refreshToken":"8ec16c25951616150b0332a4a6d66547","refreshTokenExpiresAt":"2025-08-08T20:55:30.738Z","scope":\["MAKE\_WIDTHDRAW","MAKE\_DEPOSIT","LIST\_PAYMENT"],"client":\{"id":"dab5c80e-0321-4c3a-988a-ffedfd64d8db","app\_id":"0a92d46e-edf4-422e-8c62-946051e5067b","app\_name":"First OAuth integration","grants":\["authorization\_code","client\_credentials","password","refresh\_token"],"redirectUris":\["http\://localhost:3035/oauth/finalize"],"accessTokenLifetime":600},"user":\{"id":"5070d5a1-d71a-4190-91b0-f116eec51771"}}
Updated 14 days ago