Generating an Access Token

Request
Response
Token Caching (Recommended Pattern)

All API calls require a Bearer token obtained via the OAuth 2.0 client credentials flow. Tokens expire after 5 minutes — implement automatic refresh in your backend.

Request

curl -X POST https://auth.fex.example.com/realms/payment-platform/protocol/openid-connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=merchant-a1b2c3d4-..." \
  -d "client_secret=xxxxxxxxxxxxxxxx"

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "expires_in": 300,
  "token_type": "Bearer"
}

Token Caching (Recommended Pattern)

Request a new token before each API call, or cache and refresh proactively using the pattern below:

if token is None or token_expires_at < now() + 30s:
    token = fetch_new_token(client_id, client_secret)
    token_expires_at = now() + token.expires_in

Important: Always refresh at least 30 seconds before expiry to avoid race conditions near the 5-minute boundary.

Getting Your Credentials Standard QR Flow

⌘I

Getting started

Technical Guide

Request

Response

Token Caching (Recommended Pattern)

Getting started

Technical Guide

​Request

​Response

​Token Caching (Recommended Pattern)

Request

Response

Token Caching (Recommended Pattern)