# Create an OAuth token Exchange credentials or authorisation grants for an OAuth 2.0 access token. The grant_type field determines which parameters are required and which response fields are returned. See managing token expiration for guidance on refreshing tokens before they expire. Endpoint: POST /oauth/token Security: BasicAuth ## Response 200 fields (application/json): - `access_token` (string) Access token to be used when calling the API. Valid for 12 hours. Example: "01234567-89ab-cdef-0123-456789abcdef" - `token_type` (string) Type of the token. Example: "bearer" - `refresh_token` (string) Refresh token used to obtain new user access tokens without requiring the user to re-authorise. Valid for up to 20 years. Only returned for user access token grant types (registration_code, authorization_code, refresh_token). Example: "01234567-89ab-cdef-0123-456789abcdef" - `expires_in` (integer) Access token expiry time in seconds. Example: 43199 - `expires_at` (string) Access token expiration timestamp (UTC). Example: "2025-04-11T03:43:28.148Z" - `refresh_token_expires_in` (integer) Refresh token expiry time in seconds. Only returned for user access token grant types (registration_code, authorization_code, refresh_token). Example: 628639555 - `refresh_token_expires_at` (string) Refresh token expiration timestamp (UTC). Only returned for user access token grant types (registration_code, authorization_code, refresh_token). Example: "2045-03-12T13:49:23.552Z" - `scope` (string) Scope of the token. Example: "transfers" - `created_at` (string) Token creation time in ISO 8601 format. Only returned for user access token grant types (registration_code, authorization_code, refresh_token). Example: "2020-01-01T12:33:33.12345Z" ## Response 400 fields (application/json): - `error` (string) Example: "invalid_request" - `error_description` (string) Example: "Missing grant type" ## Response 401 fields (application/json): - `error` (string) Example: "invalid_grant" - `error_description` (string) Example: "Invalid user credentials."