• Documentation
  • API Reference
Overview
Guides
    Get StartedGood to KnowAccess Tokens
    Core APIs
    Alternative APIs
Other Information
Changelog
Downloads
Support
Guides

Access Tokens

All requests made to the Open Payments API requires an access token. Requesting an access token requires you to provide your client_id and client_secret, which were generated when you created your application in the Developer Portal.

We use OAuth2 with client credentials for authentication which is a well-known standard. Please use a library for authenticating with us instead of coding it yourself.

Access tokens are valid for one hour and belong to a certain scope. An access token's scope is composed of an API scope and a PSU context scope, with each accepting the following values:

API Scope ValuesDescription
aspspinformationGrants access to the ASPSP Information Service.
accountinformationGrants access to the Account Information Service.
paymentinitiationGrants access to the Payment Initiation Service, ISO Payments, FX Connect, KYC, Payout Service, and Premium Services.
bankgiroinformationUsed in combination with the accountinformation scope to grant additional access to ISO enrichment of transactions from the Swedish Bankgirot system.
PSU Context Scope ValuesDescription
privateUsed when accessing personal accounts.
corporateUsed when accessing business accounts.

When requesting access tokens, combine all API scopes that are relevant for your application where possible, and keep one active token per PSU context at a time. If you have both private and corporate PSUs, you should then have max two access tokens per hour.

This guide shows you how to acquire an access token with scope accountinformation corporate, allowing you to make requests to the Account Information Service (AIS) API for corporate accounts.

Request Token

Endpoint

Code
 
POST /connect/token

Request Headers

NameTypeDescription
AcceptstringSpecifies the desired response format.
Content-TypestringSpecifies the request format.

Request Body

NameTypeDescription
client_idstringThe Client ID of the application you created in the Developer Portal.
client_secretstringThe secret key that was generated when the application was created.
grant_typestring(enum)Specifies the OAuth 2.0 grant flow to use. For client-based access tokens, this should be client_credentials.
scopestringSpecifies the level of access requested. It is a space-separated string combining API scopes (e.g. accountinformation) and PSU context scopes (e.g. corporate).
TerminalCode
 
curl -X POST "https://auth.openbankingplatform.com/connect/token" \
  -H "Accept: application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=555510ad-da62-4e6d-80b8-e18967eabf0b" \
  -d "client_secret=joiaHR0cHM6Ly9hdXRoLm9wZW5iYW5raW5ncGxhdGZvcm0uY29tIiwiYXVkIjpb" \
  -d "grant_type=client_credentials" \
  -d "scope=accountinformation corporate"

Response

Code
 
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIn0...",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "accountinformation corporate"
}

You now have an access token that you can use as authentication to make requests to the AIS API.

The access token expires after one hour. You must make this request again to obtain a new one.

Last modified on April 30, 2026
Good to KnowKYC
JSON