2 min read
Endpoint
| Method | POST |
| Path | /partner/v1/oauth/token |
| Ring | partner (OAuth token endpoint) |
Parameters
Form-encoded body (application/x-www-form-urlencoded):
| Field | Notes |
|---|---|
grant_type | client_credentials |
client_id | Your project's client ID. |
client_secret | Your project's secret (server-side only). |
scope | Space-separated scopes; request only what you use. |
Response
A JSON token response: access_token (a bearer JWT), token_type (Bearer), expires_in (seconds) and the granted scope. Cache and reuse the token until just before expiry — see the token lifecycle. Verify the JWT against the JWKS if you validate it yourself.
Errors
invalid_client (bad credentials), invalid_scope (unknown or ungranted scope), unsupported_grant_type. The endpoint is itself rate-limited; a mint-per-request pattern will 429.
Frequently asked questions
Where do I put the client secret?
On your server only — in the form body of this request, over TLS. It must never reach a browser, mobile app or any client-side code. If a secret leaks, rotate it immediately.
How often should I call this endpoint?
As rarely as possible — mint a token, cache it, reuse it until just before expires_in elapses, then mint again. The endpoint is rate-limited, so minting per request will throttle you.
Related reading

POST /partner/v1/oauth/introspect
The OAuth 2.0 token-introspection endpoint. Check whether an access token is active and read its scopes,…
Read →
GET /partner/v1/oauth/jwks
The JSON Web Key Set: the public keys that sign partner access tokens, so you can verify a token's signature,…
Read →
GET /.well-known/oauth-authorization-server
The OAuth 2.0 authorization-server metadata document (RFC 8414). Advertises the token endpoint, JWKS URI,…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.