Reference

POST /partner/v1/oauth/token

The OAuth 2.0 token endpoint. Exchange client credentials for a short-lived bearer access token scoped to the capabilities you request.

2 min read

POSTHTTP method
OAuthAuth
partnerRing

Endpoint

MethodPOST
Path/partner/v1/oauth/token
Ringpartner (OAuth token endpoint)

Parameters

Form-encoded body (application/x-www-form-urlencoded):

FieldNotes
grant_typeclient_credentials
client_idYour project's client ID.
client_secretYour project's secret (server-side only).
scopeSpace-separated scopes; request only what you use.

Response

A JSON token response: access_token (a bearer JWT), token_type (Bearer), expires_in (seconds) and the granted scope. Cache and reuse the token until just before expiry — see the token lifecycle. Verify the JWT against the JWKS if you validate it yourself.

Errors

invalid_client (bad credentials), invalid_scope (unknown or ungranted scope), unsupported_grant_type. The endpoint is itself rate-limited; a mint-per-request pattern will 429.

Frequently asked questions

Where do I put the client secret?

On your server only — in the form body of this request, over TLS. It must never reach a browser, mobile app or any client-side code. If a secret leaks, rotate it immediately.

How often should I call this endpoint?

As rarely as possible — mint a token, cache it, reuse it until just before expires_in elapses, then mint again. The endpoint is rate-limited, so minting per request will throttle you.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.