OAuth 2.0 and token types for Wise Platform partners
To use the Wise Platform API, you must authenticate your requests. Authentication verifies your identity and ensures only authorised users and applications can access the API.
The Wise Platform API implements OAuth 2.0 for all partner accounts. Wise also offers enhanced security frameworks–mTLS, JOSE, and SCA & 2FA–for partners requiring additional protection.
OAuth 2.0 lets your application access the Wise API on behalf of your customers or as an enterprise integration. It requires a partnership agreement and mTLS setup.
During the partner onboarding process, Wise provides partner accounts with:
- A client ID to identify their application.
- A client secret to authenticate their application.
- Access to the Developer Hub for managing credentials and other tasks.
Additionally, partners must provide Wise with a redirect URL, which Wise uses during the OAuth flow to redirect users to after authorising the partner application.
Wise issues the following types of OAuth 2.0 tokens: client credentials tokens, user access tokens, and refresh tokens.
Each token type is used for specific actions with the Wise API. Select a token type to learn how to generate and use that type of token.
Client credentials tokens
For application-level requests, including unauthenticated quotes and application webhoooks.
User access tokens
For profile-level requests, including creating recipients, submitting transfers, and tracking statuses.
Refresh tokens
For obtaining new user access tokens without requiring the user to re-authenticate.
- Never expose client credentials or tokens in client-side code, logs, or URLs.
- Store credentials and tokens in a secrets manager.
- Use separate credentials for sandbox and production.
- Encrypt refresh tokens at rest.
- Rotate your client secret periodically via Developer Hub.
- Request only the scopes your application needs.
If you suspect a breach, revoke credentials immediately via Developer Hub and contact your Implementation Manager.
Wise offers advanced security for partners requiring additional protection. Select a method to learn how to implement it with your partner integration.
mTLS
Learn how to set up mTLS to support stronger security in API calls and webhooks.
JOSE
Implement signing or encryption keys (or both) for tamper-proof, confidential API calls.
SCA & 2FA
Learn how to configure strong customer authentication and two-factor authentication.
In addition to partner accounts, a sub-set of Wise Platform API capabilities are available to individual Wise business accounts. These are typically small-to-medium businesses (SMBs) that want to automate parts of their payouts workflow.
These accounts can generate a personal API token that they can then use in the authorization header of their API requests when calling the supported endpoints. Review the Personal API token guide for details about generating and using a personal API token.
Personal API tokens should be used by SMBs that wish to automate their own Wise.com business accounts. OAuth 2.0 should be used by large enterprise partners and partners building applications for their customers to perform financial transactions.