POST https://api.mollie.com/oauth2/tokens
This endpoint can only be accessed using OAuth client credentials.
Exchange the authorization code you received from Authentication for an 'access token' API credential, with which you can communicate with the Mollie API on behalf of the consenting merchant.
Headers
Authorization string
Authorization stringThe OAuth client ID and client secret as basic access credentials.
Pseudo code:
"Basic " + toBase64(client_id + ":" + client_secret)For example:
Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Hints:
- The client credentials can be included either in this
Authorizationheader or in the body parameters.- This header will be required if you do not send the
client_idandclient_secretin the body parameters.
Body parameters
grant_type string (required)
grant_type string (required)If you wish to exchange your authorization code for an app access token, use grant type
authorization_code.If you wish to renew your app access token with your refresh token, use grant typerefresh_token.Possible values:
authorization_coderefresh_token
code string | null
code string | nullThe authorization code you received when creating the authorization. Only use this field when using grant type
authorization_code.
refresh_token string | null
refresh_token string | nullThe refresh token you received when creating the authorization. Only use this field when using grant type
refresh_token.
redirect_uri string | null
redirect_uri string | nullThe URL the merchant is sent back to once the request has been authorized. It must match the URL you set when registering your app.
For consecutive refresh token requests, this parameter is required only if the initial authorization code grant request also contained a
redirect_uri.
client_id string | null
client_id string | nullThe client ID you received when you registered your OAuth app. The ID starts with
app_. For example:app_j9Pakf56Ajta6Y65AkdTtAv. There is no need to send it if you include the client credentials in theAuthorizationheader.
client_secret string | null
client_secret string | nullThe client secret you received when you registered your OAuth app. There is no need to send it if you include the client credentials in the
Authorizationheader.
Response [200]
200 OK
access_token string
access_token stringThe app access token, with which you will be able to access the Mollie API on the merchant's behalf.
refresh_token string
refresh_token stringThe refresh token, with which you will be able to retrieve new app access tokens on this endpoint. The refresh token does not expire.
expires_in integer
expires_in integerThe number of seconds left before the app access token expires. Be sure to renew your app access token before this reaches zero.
token_type string
token_type stringAs per OAuth standards, the provided app access token can only be used with
bearerauthentication.Possible values:
bearer
scope string
scope stringA space-separated list of permissions.
Example response
{
"access_token": "access_46EUJ6x8jFJZZeAvhNH4JVey6qVpqR",
"refresh_token": "refresh_FS4xc3Mgci2xQ5s5DzaLXh3HhaTZOP",
"expires_in": 3600,
"token_type": "bearer",
"scope": "payments.read organizations.read"
}Response [400]
400 Bad Request
error string
error stringThe error code. For example:
invalid_grant.
error_description string
error_description stringThe error description in details. For example:
Authorization code doesn't exist or is invalid for the client.
Example response
{
"error": "invalid_grant",
"error_description": "Authorization code doesn't exist or is invalid for the client"
}