Create OAuth Token (V2)

Loading...

API endpoint path: /oauth2/v1/token

Issues an OAuth 2.0 access token for accessing current Candescent APIs. The returned access token must be included as a Bearer token in the Authorization header of all subsequent API requests.

Requests must use application/x-www-form-urlencoded encoding and include a supported grant_type.

Use this endpoint to:

• Obtain a bearer token for current Candescent APIs, including Accounts, Alerts, Banking Images, Disclosures, Money Movement, and Transactions.
• Request institution-level access when acting on behalf of a financial institution without an end-customer sign-in.
• Sign in an end customer using their digital banking credentials.
• Renew customer access without requiring re-authentication, using a refresh token from a prior sign-in.
• Authorize subsequent Candescent API requests using the issued access token.

Behavior and capabilities:

• Supports the client_credentials, password, authorization_code, and refresh_token grant types, returning a JSON response that includes the access token and expiration details.
  • The client_credentials grant issues an institution-scoped access token without customer context; when using this model, the customer context must be provided on each API request.
  • The password grant issues a customer-scoped access token for a user of the digital banking application and includes a refresh token.
  • The authorization_code grant issues an access token using an authorization code issued by Apigee as part of an OpenID Connect (OIDC) flow. A refresh token is returned only if the offline_access scope was requested during authorization.
  • The refresh_token grant issues a new access token using a previously issued refresh token.
• Requests must authenticate using the application’s client ID and client secret via HTTP Basic Authentication.
• The target financial institution must be specified in the institutionId request header for grant types: client_credentials, password, and authorization_code.
• Successful responses return a JSON payload that includes the access token and its expiration details.

Note: For legacy APIs (Send Event, Destinations, Get FI Customer, Register User), use the OAuth V1 token endpoint instead.

Request

Responses

200

Success

400

Bad Request

401

Unauthorized

403

Forbidden

500

Internal Server Error