{"templateId":"openapi_docs","versions":[{"version":"v1","label":"v1","link":"/api-reference/v1/authorization","default":false,"active":false,"folderId":"1b9c9f54"},{"version":"v2","label":"v2","link":"/api-reference/authorization","default":true,"active":true,"folderId":"1b9c9f54"}],"sharedDataIds":{"openAPIDocsStore":"oas-api-reference/@v2/index.yaml","sidebar":"sidebar-sidebar.yaml__api-reference"},"props":{"definitionId":"api-reference/@v2/index.yaml","dynamicMarkdocComponents":[],"baseSlug":"/api-reference","seo":{"title":"Authorization","siteUrl":"https://developer.flute.com","description":"<a id=\"generating-an-api-token\"></a>\nAn API token is required for each endpoint use.\nAn API token can only be created after an account is created, registered, and at least one API key has been created.\n\nThe API token is an authorization token needed for each for endpoint.\nIt is an encrypted string that combines the client Id and client secret from an API key (created earlier).\nIt contains authentication and authorization coding.\nThis includes any privileges the user or account affords.\nBeing encrypted means the API token is safe to expose in frontend code.\nThe API token is time-sensitive and expires after an amount of time.\n\nIt may be created as needed.\nWe recommend generating a new API token before each endpoint use.\nThis ensures the API token will be valid for each call.\n\n<a id=\"baseOAuthURL\"></a>\nThe API token is an OAuth 2.0 Client Credentials authorization flow.\nThe Client Credentials Flow is an OAuth 2.0 authorization Bearer grant.\nThis means a server-side application obtains an access token using its client credentials (client ID and client secret) to protect resources.\n\n<h3 style=\"margin-top: 24px; margin-bottom: 4px;\">Generating the API Token</h3>\nAn API token is created for the environment it will be used in.\nThere are two available Flute environments: Sandbox and Production.\n\n**Sandbox**<br>\nUse the sandbox environment for development and testing.\nNo payments, charges, or invoices will be enforced.<br>\nEndpoint: `POST https://sandbox.oauth.api.flute.com/oauth2/token`\n\n**Production**<br>\nUse the production environment for deploying the payment system live to clients.\nAll payments, charges, or invoices will be enforced.<br>\nEndpoint: `POST https://oauth.api.flute.com/oauth2/token`\n\nThe sandbox and production environments API tokens use the same API key and differentiated only by the environment endpoint.\nThe two API tokens types are not interchangeable and cannot be used in an environment different than they were created for.\n\nThe API key that was created in the initial account registration is needed to create an API token.\nThe **client ID** and **client secret** are used together to create an API token.\n\n\nThe following is an example of the complete request for the sandbox environment:\n```shell\ncurl -X 'POST' 'https://sandbox.oauth.api.flute.com/oauth2/token' \\\n-u '594838709594...38697242c:9eb2c6859daa4...d8ae5da9' \\\n-H 'Content-Type: application/x-www-form-urlencoded' \\\n-d 'grant_type=client_credentials&scope=offline_access'\n```\n\nThe following example is passed back in the response body:\n```json\n{\n\"access_token\": \"u7BYwJx26U1lT...TZpKvndLCC4\",\n\"refresh_token\": \"def50200newrefresh123456789\",\n\"token_type\": \"Bearer\",\n\"expires_in\": 3600\n}\n```\n\n<h3 style=\"margin-top: 24px; margin-bottom: 4px;\">Using the API Token</h3>\n\nThe token endpoint returns both an `access_token` and a `refresh_token`.\nThe lifespan of the `access_token` is indicated by the `expires_in` value.\nThe lifespan of the `refresh_token` is set by OAuth standards.\n\nClients are encouraged to use either token as needed.\nFor example, it may be easier to call for a new `access_token` before each user-initiated action.\nThe `access_token` may also be left to expire, and then use `refresh_token` procedures to continue.\nFor example, mobile phones apps may need to use the `refresh_token` to avoid consistently signing back in.\n\nIn the endpoint header, use the following `access_token` format:\n```json\n\"Authorization\": \"Bearer u7BYwJx26U1lT...TZpKvndLCC4\"\n```\n\nThe following example creates a new access token:\n```shell\ncurl 'https://sandbox.api.flute.com/v2/transactions' \\\n-H 'Authorization: Bearer u7BYwJx26U1lT...TZpKvndLCC44' \\\n-H 'Accept: application/json'\n```\nAs a reminder, always secure your client ID and especially your client secret.\nNever expose the client secret in client-side code or public repositories.\nIt should be kept private and secure.\nIf it is suspected that the client secret has been compromised, the owning API key must be deleted.\nA new API key can then be created\n\n<h3 style=\"margin-top: 24px; margin-bottom: 4px;\">Error Responses</h3>\n\nIf authentication fails, the token endpoint returns an error.\nThe following are commonly encountered errors.\n\n| HTTP Status      | Common Cause                                                              |\n|------------------|---------------------------------------------------------------------------|\n| 400 Bad Request  | Missing or invalid grant_type, or malformed request body.                 |\n| 401 Unauthorized | The API token has likely expired. Create a new one and retry the request. |","lang":"en-US","llmstxt":{"hide":true,"excludeFiles":[]}},"itemId":"authorization","disableAutoScroll":true,"metadata":{"subType":"openapi-operation"},"compilationErrors":[],"markdown":{"partials":{},"variables":{"rbac":{"teams":["anonymous"]},"user":{},"remoteAddr":{"hostname":"developer.flute.com","port":4000,"ipAddress":"216.73.216.41"},"lang":"default_locale","env":{"PUBLIC_REDOCLY_BRANCH_NAME":"main"}}},"pagePropGetterError":{"message":"","name":""}},"slug":"/api-reference/authorization","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}