# OAuth 2.0 Setup

Get started with OAuth 2.0 and manage your tokens. 

During onboarding, Wise provides partners with a **client ID** and **client secret**. You can access these credentials via the [Developer Hub](https://wise.com/developer-hub) and you’ll use them to generate the necessary tokens during your authentication process.

Enterprise partners and correspondent partners use an OAuth 2.0 authentication flow to obtain the following types of tokens:

| Token type | Purpose | TTL |
|  --- | --- | --- |
| [Client credentials token](/guides/developer/auth-and-security/client-credentials-token) | For application-level requests, like generating un-authenticated quotes and subscribing to application webhooks. Application-level requests are not specific to a profile. | 12 hours |
| [User access token](/guides/developer/auth-and-security/user-access-token) | For profile-level requests, like creating transfers. Profile-level requests are requests that transact on behalf of a specific profile and represent the majority of Wise API actions. | 12 hours |
| [Refresh token](/guides/developer/auth-and-security/refresh-tokens) | To generate new user access tokens without requiring the user to re-authorize. Maintains long-term user access. | Up to 20 years |


Both client credential tokens and user access tokens are **bearer** tokens. Include the token in the `Authorization` header of your requests:


```
curl -i -X POST https://api.wise.com/v3/* \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
```

## Managing token expiration

Both client credential and user access tokens expire after 12 hours.

To maintain uninterrupted access and avoid expiration errors:

- **Track the expiry time** using the `expires_in` value from the token response.
- **Refresh proactively** by requesting a new access token before the current one expires (good practice is when 80% of TTL has elapsed).
- **Don't persist your tokens**. Treat it as ephemeral and request a new one when needed.


For details about obtaining new client credential tokens, see the [Client credential token guide](/guides/developer/auth-and-security/client-credentials-token). For details about obtaining new user access tokens, see the [Refresh tokens guide](/guides/developer/auth-and-security/refresh-tokens).

### Token expiration errors

Token expiration can result in one of the following error codes:

| HTTP code | Error | Token type | Cause and solution |
|  --- | --- | --- | --- |
| `400` | `invalid_grant` | user access | Authorisation code expired or already used.  Restart the authorisation flow. |
| `401` | `Unauthorized` | client credential, user access | Access token expired or invalid.  Use refresh token to obtain a new access token. |