A user access token lets your application make requests to the Wise API on behalf of a specific Wise user. Wise issues a user access token once the user authorises the partner application to perform transactions on their behalf.
How you obtain a user access token depends on your integration model:
- Embedded finance partners: Your end customers each have their own Wise profile and can interact with Wise directly through your application. Because each customer authorises your application individually, you use the authorization code grant to obtain a user access token for each customer. You'll go through this flow once per customer.
- If you created the user's Wise account, you can use the registration code grant to obtain a user access token for each user.
- Correspondent and Enterprise partners: Your integration operates through a single Wise profile. There is no end user to redirect through a browser-based authorization flow, so you use the registration code grant to obtain a user access token. You'll typically go through this flow only once during onboarding, then maintain access by refreshing the token.
- If you can log in to Wise.com, you can also follow the authorization code grant flow.
Both flows return a user access token and a refresh token. Once you have a valid access token, using it in requests is the same regardless of which grant type you used to obtain it.
Regardless of how you obtain your initial tokens, you are responsible for maintaining uninterrupted access by refreshing tokens before they expire. See the Refresh tokens guide for details.
Before you can obtain user access tokens, you must have:
- Your client ID and client secret (retrieve via Developer Hub).
- A redirect URL (coordinated during partner onboarding with the Wise implementation team and only required for the authorization code flow).
- Created a Wise account and user (how this occurs will depend on your integration model and you’ll be guided by your onboarding team).
Select the flow you wish to view in detail:
- Authorization code flow (for Embedded finance partners)
- Registration code flow (for Correspondent and Enterprise partners)
The response is the same for both the authorization and registration code flows. It includes both the access_token and refresh_token.
{ "access_token": "01234567-89ab-cdef-0123-456789abcdef", "token_type": "bearer", "refresh_token": "01234567-89ab-cdef-0123-456789abcdef", "expires_in": 43199, "expires_at": "2025-04-11T03:43:28.148Z", "refresh_token_expires_in": 628639555, "refresh_token_expires_at": "2045-03-12T13:49:23.552Z", "scope": "transfers", "created_at": "2020-01-01T12:33:33.12345Z" }
You can now use the access_token in all profile-level requests and refresh the access token prior to its expiration.
Include the access token in the Authorization header when making requests on behalf of the user.
curl -X GET https://api.wise.com/v2/profiles \
-H 'Authorization: Bearer <USER_ACCESS_TOKEN>'User access tokens expire after 12 hours. Understanding how token invalidation works is critical to avoiding unexpected 401 errors in production.
Only one access token is valid at a time.
When you obtain a new access token (whether via refresh_token, authorization_code, or registration_code) the previously active access token is immediately invalidated. Any requests using the old token will fail with 401 invalid_token.
This means your application must always store and use the most recently issued access token.
This behaviour is the most common cause of unexpected 401 errors for partners in production. It typically occurs when:
- Multiple backend services independently refresh the token, and one service continues using the old token.
- A retry mechanism triggers a second refresh before the first response is processed.
- The new token is not propagated to all services that make API calls.
How you recover from token invalidation depends on your integration model:
If the user originally authorised via the OAuth redirect flow:
- Attempt to refresh using your stored refresh token.
- If the refresh token is also invalid, redirect the user to re-authorise then use the authorization code to obtain new tokens.
These integration models use a single partner account and typically go through the authorisation flow only once:
- Attempt to refresh using your stored refresh token.
- Use your registration code to generate a new token pair. The registration code is your primary recovery mechanism — store it securely!
Unlike Embedded finance partners, you cannot redirect a user to re-authorise. However, if both your refresh token and registration code are invalid, but you can log in to Wise.com, you may generate an access token via the authorization code flow.
Otherwise, contact your Wise implementation team or Wise Platform support for further assistance.
This section covers the most common errors you may encounter when obtaining or using user access tokens.
| HTTP status | Error | Cause |
|---|---|---|
400 | invalid_grant — "Authorization code expired." | The authorisation code has a 10-minute TTL. You must exchange it for tokens within that window. |
400 | invalid_grant — "Authorization code is not valid." | The code has already been used. Each authorisation code can only be exchanged once. |
400 | invalid_grant — "Redirect URI mismatch." | The redirect_uri in your token request does not match the one used when redirecting the user to authorise. These must be identical, including query parameters. |
401 | invalid_client | Your client_id or client_secret is incorrect, or the Basic Auth header is malformed. |
400 | invalid_request — "Missing grant type" | The grant_type parameter is missing from the request body. |
| HTTP status | Error | Cause |
|---|---|---|
401 | invalid_grant — "Invalid user credentials." | The registration code is invalid, or the user has reclaimed their Wise account (for example, by resetting their password). |
| HTTP status | Error | Cause |
|---|---|---|
400 | invalid_grant | The refresh token is expired, revoked, or not found. Can also be caused when a profile is moved to a different account. |
401 | invalid_client | Your client_id or client_secret is incorrect. If you recently rotated your client secret, ensure you are using the active secret. |
| HTTP status | Error | Cause |
|---|---|---|
401 | invalid_token — "Invalid token" | The access token is expired, was never valid, was revoked, or was replaced by a newer token. Can also be caused by profile ownership change when there is an existing token. |
Some API paths may return {"error": "unauthorized"} instead of {"error": "invalid_token"}. Both indicate the same issue — the token is not valid.
This inconsistency is being addressed as part of an ongoing migration.