POST
/
institutions
/
oauth
/
token
curl --request POST \
  --url https://sandbox-api.cardcore.cloud/institutions/oauth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "grant_type": "client_credentials",
  "institutionId": "{{institutionId}}",
  "client_id": "{{oauthClientId}}",
  "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
  "client_assertion": "paste-client-assertion-jwt-here"
}
'
{
  "statusCode": 200,
  "message": "Institution OAuth created successfully.",
  "data": {
    "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCV9.client-credentials-access-token",
    "institutionId": "30f4f3213f3f9511596daade0b6eEa24",
    "tokenType": "Bearer",
    "refreshToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCV9.client-credentials-refresh-token",
    "institution": "69c21c0aa61d0550d690e99c",
    "institutionUser": "68da3e6180b90fbbb96716Eb",
    "institutionOauth": "69c21c0aa61d0550D690e99c"
  }
}
Use the refresh_token grant when you want to exchange a valid refresh token for a new access token.

Body

application/json
grant_type
enum<string>
default:client_credentials
required

Use client_credentials to exchange a client assertion, or refresh_token to obtain a new access token.

Available options:
client_credentials,
refresh_token
Example:

"client_credentials"

client_id
string
required

This is your OAuth Client ID which can be gotten from your app page on the dashboard.

institutionId
string
required

This is your institution ID.

client_assertion_type
string
required

This is the client assertion type.

Example:

"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

client_assertion
string
required

This is the client assertion you generated earlier.

refresh_token
string

Pass your refresh token when grant_type is refresh_token.

Response

200 - application/json

Token exchange completed successfully.

statusCode
number
required
Example:

200

message
string
required
Example:

"Institution OAuth created successfully."

data
object
required

The fields returned depend on the grant type used. refreshToken is returned for client_credentials and omitted for refresh_token.