Get an Access Token

curl --request POST \
  --url https://api-sandbox.finogates.com/v1/platform/auth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_id": "<string>",
  "client_secret": "<string>"
}
'

{
  "status_code": 123,
  "data": "<unknown>",
  "query_generated_time": 123
}

Exchange Client Token

Log your app in and get an access token. You need this token before you can call any other endpoint — send it with every request to prove who you are.

What you send

The two values you were given when your account was set up:

client_id — your app’s public ID
client_secret — your app’s secret password (keep it private and safe)

What you get back

A long-lived access token. By default the token does not expire — the same Bearer value keeps working until you rotate the issuing client_secret. This matches the way Stripe Connect OAuth2 access tokens behave.

If you need a token to stop working, rotate the client_secret from the developer panel. All tokens previously issued for that client become invalid immediately on the next request. Operators who prefer a strict TTL can override by setting the CLIENT_ACCESS_TOKEN_EXPIRE_MINUTES environment variable to a positive number of minutes on the deployment.

Good to know

This is the only endpoint that does not need a token already — it is how you get one in the first place.
Test mode and live mode are kept separate. The web address you call decides which one you get (the test address or the live address), and your credentials must match that mode.
If you gave us a list of allowed IP addresses, requests coming from any other address are turned away.
Too many failed login attempts in a short time can block you for a while.
The response’s expires_in field is null when the token has no expiry, and an integer count of seconds otherwise.

POST

platform

auth

token

Get an Access Token

curl --request POST \
  --url https://api-sandbox.finogates.com/v1/platform/auth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_id": "<string>",
  "client_secret": "<string>"
}
'

{
  "status_code": 123,
  "data": "<unknown>",
  "query_generated_time": 123
}

Body

application/json

OAuth2 client-credentials token exchange request.

client_id

string

required

Client identifier issued during onboarding.

Required string length: 5 - 120

Example:

"cl_aBcDeFgHiJkLmNoPqRsTuV"

client_secret

string

required

Client secret issued during onboarding. Shown only once at creation or rotation.

Required string length: 10 - 255

Example:

"sk_aBcDeFgHiJkLmNoPqRsTuVwXyZaBcDeFgHiJkLmNoPqRsTuVwXyZ"

Response

Successful Response

Standard response wrapper for single-object responses and errors.

Generic over the payload type. A route that declares CommonResponse[SomeModel] gets the real data schema rendered in OpenAPI/Swagger; a bare CommonResponse leaves data untyped.

status_code

integer

required

HTTP status code for the response.

data

any

required

Payload or error details.

query_generated_time

integer

required

UTC timestamp (milliseconds since epoch) when response was generated.

Create User