Using OAuth
You can also obtain and refresh your access token through the following RESTful API's. Follow these steps to get your access and refresh tokens for use with your API requests.
Pre-requisites:
- A registered developer application
- OAuth client ID and secret
- OAuth redirect URI (if using the authorization_code grant)
- List of scopes (see Application Scopes)
OAuth URL
https://oauth-service.fluzapp.com
General notes:
- The access token has an expiration time of 10 minutes. Use the refresh_token or client_credentials grants to get a new access token.
- The refresh token has an expiration date of 60 days. You will need to go through the authorization code flow again to get a new access and refresh token set.
OAuth Grants:
Grant type authorization_code:
Use this grant to request a new access token and refresh token. This grant requires that the Fluz user log in, review and permit your application's requested scopes. If you only need to obtain an access token for your application without requiring another Fluz user's permissions use the client_credentials grant type instead.
User browser sequence:
-
Direct the Fluz user to your page to initiate the OAuth authorization code flow. This page should then redirect the user to Fluz' OAuth authorization page below with the following request parameters.
https://fluz.app/authorize?response_type=code&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scopes={SCOPES}&redirect_uri={REDIRECT_URI}&state={STATE}response_type: The requested response type. This value must be scope.client_id: The client ID from your OAuth settingsscopes: The application's requested scopesredirect_uri: The application's registered redirect URIstate: An optional state value -
After login, the user will be presented with the application's requested scopes. The user can select the application scopes to approve.
-
The user will then be redirected to your redirect URI with the new authorization code.
Use grant type authorization_code to obtain your new access and refresh tokens.
POST /oauth/token
REQUEST
Headers:
Headers:
Content-Type: x-www-form-urlencoded
Authorization: [base64-encoded value of your 'client_id:client_secret']
Parameters:
grant_type: authorization_cde
code: [The issued authorization code]
redirect_uri: [The application registered redirect URI]
RESPONSE
accessToken: The new access token
accessTokenExpiresAt: The new access token expiration date
refreshToken: The new refresh token
refreshTokenExpiresAt: The new refresh token expiration date
scope: The list of scopes allowed with the new access token
client: The associated OAuth client
user: The associated OAuth user
SAMPLE RESPONSE
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfZGJpZCI6IjdlZmE2ZWI3LWIwMjUtNDkzMy05YzZjLTNkOWVhNzYxZmIzYSIsImFwcF9pZCI6ImQ0ZDY4NmNhLWFiNTEtNDRhZC1iNGZmLWQ4NjllZDg2ZmZjYiIsInVzZXJfZGJpZCI6IjZhNWJjMzdhLTdhNjAtNDk3Ny1hYmJhLWZkMTQ4OWY4MTZmNyIsInNlYXRfaWQiOiJkMjg3NGQyOS00YTI3LTRjMTktYjNlNy1hZjhlMGM2YTk5ODgiLCJzY29wZXMiOlsiTElTVF9QVVJDSEFTRVMiLCJQVVJDSEFTRV9HSUZUQ0FSRCJdLCJhY2NvdW50X3R5cGUiOiJDT05TVU1FUiIsIm9hdXRoX3Rva2VuIjp0cnVlLCJpYXQiOjE3NTI1Mzg1NzMsImV4cCI6MTc1MjUzOTE3MywiaXNzIjoiRmx1ek9BdXRoU2VydmljZSJ9.GXxxI40PgAw6ezf7SA4jIM7CqOjpOafBKYlAx5YYArI",
"authorizationCode": "957f43ed7bf0d4c736ac5e7828663602b59e7160",
"accessTokenExpiresAt": "2025-07-15T00:26:13.608Z",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfZGJpZCI6IjdlZmE2ZWI3LWIwMjUtNDkzMy05YzZjLTNkOWVhNzYxZmIzYSIsInVzZXJfZGJpZCI6IjZhNWJjMzdhLTdhNjAtNDk3Ny1hYmJhLWZkMTQ4OWY4MTZmNyIsImlhdCI6MTc1MjUzODU3MywiZXhwIjoxNzY4MDkwNTczLCJpc3MiOiJGbHV6T0F1dGhTZXJ2aWNlIn0.FFr81Uzg92y20qjSkiTGu9xHbLnVgORaeO4mWWP7Cd8",
"refreshTokenExpiresAt": "2026-01-11T00:16:13.608Z",
"scope": [
"LIST_PURCHASES",
"PURCHASE_GIFTCARD"
],
"client": {
"id": "7efa6eb7-b025-4933-9c6c-3d9ea761fb3a",
"app_id": "d4d686ca-ab51-44ad-b4ff-d869ed86ffcb",
"app_name": "Vince App1",
"grants": [
"authorization_code",
"client_credentials",
"password",
"refresh_token"
],
"redirectUris": [
"https://google.com"
],
"accessTokenLifetime": 600,
"refreshTokenLifetime": 15552000
},
"user": {
"id": "6a5bc37a-7a60-4977-abba-fd1489f816f7"
}
}
Grant type refresh_token:
For use with the authorization_code grant above. Use this grant to refresh an expired access token.
POST /oauth/token
REQUEST
Headers:
Content-Type: x-www-form-urlencoded
Authorization: [base64-encoded value of your 'client_id:client_secret']
Parameters:
grant_type: refresh_token
refresh_token: [The issued refresh token]
RESPONSE
accessToken: The new access token
accessTokenExpiresAt: The new access token expiration date
scope: The list of scopes allowed with the new access token
client: The associated OAuth client
user: The associated OAuth user
SAMPLE RESPONSE
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfZGJpZCI6IjdlZmE2ZWI3LWIwMjUtNDkzMy05YzZjLTNkOWVhNzYxZmIzYSIsImFwcF9pZCI6ImQ0ZDY4NmNhLWFiNTEtNDRhZC1iNGZmLWQ4NjllZDg2ZmZjYiIsInVzZXJfZGJpZCI6IjZhNWJjMzdhLTdhNjAtNDk3Ny1hYmJhLWZkMTQ4OWY4MTZmNyIsInNlYXRfaWQiOiJkMjg3NGQyOS00YTI3LTRjMTktYjNlNy1hZjhlMGM2YTk5ODgiLCJzY29wZXMiOlsiTElTVF9QVVJDSEFTRVMiLCJQVVJDSEFTRV9HSUZUQ0FSRCJdLCJhY2NvdW50X3R5cGUiOiJDT05TVU1FUiIsIm9hdXRoX3Rva2VuIjp0cnVlLCJpYXQiOjE3NTI1NDI1MDksImV4cCI6MTc1MjU0MzEwOSwiaXNzIjoiRmx1ek9BdXRoU2VydmljZSJ9.Zrc7YgiG1XGFJTb_wSaHx6H7e4udUO6QJyz1_WaMQW0",
"accessTokenExpiresAt": "2025-07-15T01:31:48.974Z",
"scope": [
"LIST_PURCHASES",
"PURCHASE_GIFTCARD"
],
"client": {
"id": "7efa6eb7-b025-4933-9c6c-3d9ea761fb3a",
"app_id": "d4d686ca-ab51-44ad-b4ff-d869ed86ffcb",
"app_name": "Vince App1",
"grants": [
"authorization_code",
"client_credentials",
"password",
"refresh_token"
],
"redirectUris": [
"https://google.com"
],
"accessTokenLifetime": 600,
"refreshTokenLifetime": 15552000
},
"user": {
"id": "6a5bc37a-7a60-4977-abba-fd1489f816f7"
}
}Grant type client_credentials:
Use this grant to obtain an access token directly for your application. The associated user will be the Fluz user who originally registered the application. When the access token has expired you can request another access token using this same grant.
POST /oauth/token
REQUEST
Headers:
Content-Type: x-www-form-urlencoded
Authorization: [base64-encoded value of your 'client_id:client_secret']
Parameters:
grant_type: client_credentials
scope: [A comma-separated list of scopes]
RESPONSE
accessToken: The new access token
accessTokenExpiresAt: The new access token expiration date
scope: The list of scopes allowed with the new access token
client: The associated OAuth client
user: The associated OAuth user
SAMPLE RESPONSE
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfZGJpZCI6IjdlZmE2ZWI3LWIwMjUtNDkzMy05YzZjLTNkOWVhNzYxZmIzYSIsImFwcF9pZCI6ImQ0ZDY4NmNhLWFiNTEtNDRhZC1iNGZmLWQ4NjllZDg2ZmZjYiIsInVzZXJfZGJpZCI6IjI0NDM0NmZkLTc3NDYtNGU1NC1hNTRmLTVlZjVlZWJmYmU4YyIsInVzZXJfaWQiOiIyZDEwYmIwNC0wYzU5LTQ4MTgtOGFkYS0wZWRjNGMzYTY1NzIiLCJhY2NvdW50X2lkIjoiYzQzZmM2NzUtZmU5NC00NmRkLWI0YTItMWZiZmE2NzQ2MzczIiwic2VhdF9pZCI6IjM5YjRmYTM4LTNmNTktNDU4Yi05OTBlLTAyNDUxMTc4MzVhYiIsInNjb3BlcyI6WyJNQUtFX1dJVEhEUkFXIiwiTUFLRV9ERVBPU0lUIiwiTElTVF9QQVlNRU5UIl0sImFjY291bnRfdHlwZSI6IkNPTlNVTUVSIiwib2F1dGhfdG9rZW4iOnRydWUsImlhdCI6MTc1MjUzNzcwNSwiZXhwIjoxNzUyNTM4MzA1LCJpc3MiOiJGbHV6T0F1dGhTZXJ2aWNlIn0.tLjd6z_fN_lBzQSfFHih4FayuI546xKy5vCDk3Na98Y",
"accessTokenExpiresAt": "2025-07-15T00:11:45.353Z",
"scope": [
"MAKE_WITHDRAW",
"MAKE_DEPOSIT",
"LIST_PAYMENT"
],
"client": {
"id": "7efa6eb7-b025-4933-9c6c-3d9ea761fb3a",
"app_id": "d4d686ca-ab51-44ad-b4ff-d869ed86ffcb",
"app_name": "Vince App1",
"grants": [
"authorization_code",
"client_credentials",
"password",
"refresh_token"
],
"redirectUris": [
"https://google.com"
],
"accessTokenLifetime": 600,
"refreshTokenLifetime": 15552000
},
"user": {
"id": "244346fd-7746-4e54-a54f-5ef5eebfbe8c",
"userId": "2d10bb04-0c59-4818-8ada-0edc4c3a6572",
"accountId": "c43fc675-fe94-46dd-b4a2-1fbfa6746373"
}
}
Updated 13 days ago