Generate a User Access Token

API actions (like purchasing) require a temporary User Access Token with specific permissions (scopes).

  • Required info:

    • Your API Key (use your Test API Key for testing)
    • Your User ID (use your Test User ID for testing)
    • Your Account ID (use your Test Account ID for testing)
    • Your desired scopes (permissions).
  • Common scopes:

    • LIST_OFFERS: View available merchants and offers.
    • PURCHASE_GIFTCARD: Buy gift cards.
    • REVEAL_GIFTCARD: View purchased gift card details.
    • LIST_PURCHASES: See purchase history.
    • LIST_PAYMENT: View payment methods.
    • MANAGE_PAYMENT: Add or remove payment methods.
    • 📘 Learn more: Application Scopes Documentation
  • Generate token using cURL (Sandbox):
    Replace placeholders <YOUR_SANDBOX_API_KEY>, <YOUR_SANDBOX_USER_ID>, and <YOUR_ACCOUNT_ID> with the credentials you would like to use.

    curl -X POST https://transactional-graph.staging.fluzapp.com/api/v1/graphql \
      -H "Authorization: Basic <YOUR_SANDBOX_API_KEY>" \
      -H "Content-Type: application/json" \
      -d '{
        "query": "mutation generateUserAccessToken($userId: UUID!, $accountId: UUID!, $scopes: [ScopeType!]!, $seatId: UUID) { generateUserAccessToken(userId: $userId, accountId: $accountId, scopes: $scopes, seatId: $seatId) { accessToken refreshToken scopes } }",
        "variables": {
          "userId": "<YOUR_SANDBOX_USER_ID>",
          "accountId": "<YOUR_ACCOUNT_ID>",
          "scopes": [
            "LIST_PURCHASES", "LIST_OFFERS", "LIST_PAYMENT",
            "REVEAL_GIFTCARD", "PURCHASE_GIFTCARD", "MANAGE_PAYMENT"
          ]
        }
      }'
  • Response: You'll get a token.

    {
      "data": {
        "generateUserAccessToken": {
          "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", // <-- This is your Access Token
          "refreshToken": "0cb671d0b1aaa727c96874270cd15c2f", // <-- This is your Refresh Token
    			"scopes": ["LIST_PURCHASES", ...]
        }
      }
    }
  • 💾 Copy theaccessToken value. You'll use this in the Authorization: Bearer <YOUR_USER_ACCESS_TOKEN> header for authenticated requests.

  • 💾 Copy therefreshToken value. You'll use this later when requesting a new User Access Token when the current one expires. See section Refresh an Expired User Access Token.

  • In your code:

❗️

Token Validity & Caching:

  • Sandbox Tokens expire after 10 minutes.
  • Production Tokens expire after 3 minutes.
  • Recommendation: Cache the token in your application and refresh it only when it's expired or about to expire, rather than generating one for every single API call.

Want to learn more? Contact us at [email protected]

Speak with our experts for more info or to request a demo.