Guides

Getting Refresh & Access Tokens

Suggest Edits

Refresh Token

Once the user has authorised your app, you will need to exchange the code for a Refresh Token. As the Refresh Token typically has a long lifetime you must keep this safe and store/secure using heavy encryption.

Refresh Tokens are used to generate Access Tokens which have a limited lifespan. If a malicious party is able to get the Refresh Token, then they will be able to generate unlimited Access Tokens and access a Merchant’s data.

Request using JSON  
URL: <https://api.payadvatange.com.au/v3/token>  
Method: POST  
Content-Type: application/json

{  
  “code”: “eyJhbGciOiJFUz...”,  
  “client_id”: “800d8763d38c4661859ea5d603d989a2”,  
  “client_secret”: “47dc71eacd7c49c6b68f4e829262fb09”,  
  “grant_type”: “authorization_code”,  
  “redirect_uri”: “<https://example.com/oauth_callback”>  
}

PKCE Request using a JSON

URL: <https://api.payadvatange.com.au/token>  
Method: POST  
Content-Type: application/json

{  
  “code”: “eyJhbGciOiJFUz...”,  
  “client_id”: “800d8763d38c4661859ea5d603d989a2”,  
  “code_verifier”:   “h21pC6u26p4dmw1gH29KPQodOp3l23tvej0TQ0mg4MagVLZUEWRVynkb57NX6Fnw”,  
  “grant_type”: “authorization_code”,  
  “redirect_uri”: “<https://example.com/oauth_callback”>  
}

Successful Response

Status: 200  
Content-Type: application/json

{  
  "access_token”: “eyJhbGciOiJFUzI1NiIsI...”,  
  “expires_in”: 1800,  
  “token_type”: “Bearer”,  
  “refresh_token”: “BvisN7OihiQtZnvE8AxibAonmhw...”  
}

Errors

Invalid Request  
Status: 400  
Content-Type: application/json

{  
  “error”: “invalid_grant”,  
  "error_description”: "The \"code\" provided cannot be understood."  
}

Not Authorised  
Status: 401  
Content-Type: application/json

{  
  “error”: “unauthorized_client”,  
  "error_description”: "\"client_id\" not found or authorized for user."  
}

Invalid Credentials  
Status: 401  
Content-Type: application/json

{  
  “error”: “invalid_client”,  
  “error_description”: “Incorrect credentials.”  
}

Using refresh token to get new access token

Retrieving a new Access Token from a Refresh Token
When the access token has expired, you will need to refresh it.

Request  
URL: <https://api.payadvantage.com.au/v3/token>  
Method: POST  
Content-Type: application/json

{  
  “grant_type”: “refresh_token”,  
  “refresh_token”: “BvisN7OihiQtZnvE8AxibAonmhw...”  
}

Successful Response

Status: 200  
Content-Type: application/json

{  
  “access_token”: “eyJhbGciOiJFUzI1NiIsI...”,  
  “expires_in”: 1800,  
  “token_type”: “Bearer”  
}

Errors

Invalid Request  
Status: 400  
Content-Type: application/json

{  
  “ErrorCode”: “request_error”,  
  “Messages”: [ “Invalid grant_type.” ]  
}

Forbidden  
Status: 403  
Content-Type: application/json

{  
  “ErrorCode”: “forbidden”,  
  “Messages”: [ “Authorization code has expired.” ]  
}

Not Found  
Status: 404  
Content-Type: application/json

{  
  “ErrorCode”: “not_found”,  
  “Messages”: [ “App User has been deactivated.” ]  
}

Updated 6 months ago