Generate a User Access Token
API actions (like purchasing) require a temporary User Access Token
with specific permissions (scopes
).
-
Required info:
- Your
API Key
(use yourTest API Key
for testing) - Your
User ID
(use yourTest User ID
for testing) - Your
Account ID
(use yourTest Account ID
for testing) - Your desired
scopes
(permissions).
- Your
-
Common scopes:
LIST_OFFERS
: View available merchants and offers.PURCHASE_GIFTCARD
: Buy gift cards.REVEAL_GIFTCARD
: View purchased gift card details.LIST_PURCHASES
: See purchase history.LIST_PAYMENT
: View payment methods.MANAGE_PAYMENT
: Add or remove payment methods.- 📘 Learn more: Application Scopes Documentation
-
Generate token using cURL (Sandbox):
Replace placeholders<YOUR_SANDBOX_API_KEY>
,<YOUR_SANDBOX_USER_ID>
, and<YOUR_ACCOUNT_ID>
with the credentials you would like to use.curl -X POST https://transactional-graph.staging.fluzapp.com/api/v1/graphql \ -H "Authorization: Basic <YOUR_SANDBOX_API_KEY>" \ -H "Content-Type: application/json" \ -d '{ "query": "mutation generateUserAccessToken($userId: UUID!, $accountId: UUID!, $scopes: [ScopeType!]!, $seatId: UUID) { generateUserAccessToken(userId: $userId, accountId: $accountId, scopes: $scopes, seatId: $seatId) { accessToken refreshToken scopes } }", "variables": { "userId": "<YOUR_SANDBOX_USER_ID>", "accountId": "<YOUR_ACCOUNT_ID>", "scopes": [ "LIST_PURCHASES", "LIST_OFFERS", "LIST_PAYMENT", "REVEAL_GIFTCARD", "PURCHASE_GIFTCARD", "MANAGE_PAYMENT" ] } }'
-
Response: You'll get a token.
{ "data": { "generateUserAccessToken": { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", // <-- This is your Access Token "refreshToken": "0cb671d0b1aaa727c96874270cd15c2f", // <-- This is your Refresh Token "scopes": ["LIST_PURCHASES", ...] } } }
-
💾 Copy the
accessToken
value. You'll use this in theAuthorization: Bearer <YOUR_USER_ACCESS_TOKEN>
header for authenticated requests. -
💾 Copy the
refreshToken
value. You'll use this later when requesting a newUser Access Token
when the current one expires. See section Refresh an Expired User Access Token. -
In your code:
Token Validity & Caching:
- Sandbox Tokens expire after 10 minutes.
- Production Tokens expire after 3 minutes.
- Recommendation: Cache the token in your application and refresh it only when it's expired or about to expire, rather than generating one for every single API call.
Want to learn more? Contact us at [email protected]
Speak with our experts for more info or to request a demo.
Updated 16 days ago