{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-guides/developer/auth-and-security/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["sub-header"]},"type":"markdown"},"seo":{"title":"OAuth 2.0 Setup","siteUrl":"https://docs.wise.com","projectTitle":"Wise Platform","description":"Initial setup and management details for OAuth 2.0 with the Wise Platform API.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"oauth-20-setup","__idx":0},"children":["OAuth 2.0 Setup"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"span","attributes":{"class":"sub-header"},"children":["Get started with OAuth 2.0 and manage your tokens. "]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["During onboarding, Wise provides partners with a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client secret"]},", which you access via the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://wise.com/developer-hub"},"children":["Developer Hub"]},". You’ll use them to generate the tokens you need for authenticating your application."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Partner integrations use an OAuth 2.0 authentication flow to obtain the following types of tokens:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"width":"20%","data-label":"Token type"},"children":["Token type "]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Purpose"},"children":["Purpose"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"TTL"},"children":["TTL"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/developer/auth-and-security/client-credentials-token"},"children":["Client credentials token"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Used for application-level requests, like subscribing to application webhooks and generating un-authenticated quotes.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Client credentials tokens are also used to authenticate a user with the registration grant flow.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Application-level requests are not specific to a profile."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["12 hours"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/developer/auth-and-security/user-access-token"},"children":["User access token"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["For profile-level requests, like creating transfers.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Profile-level requests are requests that transact on behalf of a specific profile and represent the majority of Wise API actions."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["12 hours"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/developer/auth-and-security/refresh-tokens"},"children":["Refresh token"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["To generate new user access tokens without requiring the user to re-authorize. Maintains long-term user access."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Up to 20 years"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Both client credential tokens and user access tokens are ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["bearer"]}," tokens. Include the token in the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Authorization"]}," header of your requests:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"curl -i -X POST https://api.wise.com/v3/* \\\n  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \\\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"token-lifecycle","__idx":1},"children":["Token lifecycle"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Both client credential tokens and user access tokens expire after ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["12 hours"]}," by default. To maintain uninterrupted access and avoid expiration errors, your system should request new tokens well in advance of the token expiration."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"token-management-strategy","__idx":2},"children":["Token management strategy"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Track your token expiry time using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["expires_in"]}," value from the token response and request a new access token before the current one expires."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials tokens"]},": Wise recommends obtaining new client credential tokens for each \"session\" (for example, per payment or each time you onboard a customer). Review the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/developer/auth-and-security/client-credentials-token"},"children":["Client credential token guide"]}," for details about obtaining new client credential tokens."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User access tokens"]},": Wise recommends refreshing user access tokens 6 hours prior to expiration. Review the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/developer/auth-and-security/refresh-tokens"},"children":["Refresh tokens guide"]}," for details about using refresh tokens to obtain new user access tokens."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"token-invalidation-behaviours","__idx":3},"children":["Token invalidation behaviours"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"user-access-tokens","__idx":4},"children":["User access tokens"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Access tokens expire 12 hours after issuance."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["When you use a refresh token to obtain a new access token, the old access token is invalidated immediately, even if it has not yet expired.",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If your system makes concurrent token requests — for example, multiple services refreshing at the same time — only the most recently issued token will work. All other tokens will return ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401 invalid_token"]}," (the most common cause of unexpected ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401"]}," errors in production)."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["When users revoke access or reset passwords, the old access token is invalidated."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"refresh-tokens","__idx":5},"children":["Refresh tokens"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Refresh tokens are valid for up to 20 years (the exact duration depends on your client configuration)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["When you use a refresh token to obtain a new access token, a new refresh token may also be issued (depending on your client configuration). If a new refresh token is issued, the old one is invalidated."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["When you generate a new refresh token using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["registration_code"]}," grant, the previous refresh token is immediately invalidated."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A refresh token is also invalidated if the user revokes your application's access, enables enhanced security on their account, or resets their password."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Wise may revoke a refresh token due to security concerns."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["When profile ownership changes, for example moving your business profile from one user account to another, you may encounter an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_grant"]}," error, as this action invalidates the refresh token."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"token-related-errors","__idx":6},"children":["Token-related errors"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Wise API returns one of the following error codes for token-related failures. Use this table to identify the cause and determine the correct recovery action."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"HTTP code"},"children":["HTTP code"]},{"$$mdtype":"Tag","name":"th","attributes":{"width":"20%","data-label":"Error"},"children":["Error "]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause and solution"},"children":["Cause and solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["400"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_grant"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when requesting a new token.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Grant type: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["authorization_code"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": The authorisation code has expired (codes are valid for 10 minutes) or has already been exchanged for a token. Authorisation codes are single-use.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": Restart the authorisation flow to obtain a new code."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["400"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_grant"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when requesting a new token.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Grant type: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["authorization_code"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["redirect_uri"]}," in the token request does not match the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["redirect_uri"]}," used in the authorisation request. Both values must be identical, including query parameters.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": Retry the token request with the exact same ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["redirect_uri"]}," you used when directing the user to the authorisation page."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["400"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_grant"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when requesting a new token.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Grant type: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["refresh_token"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": The refresh token is expired, revoked, or not found.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": If you have a valid registration code, use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["registration_code"]}," grant to obtain a new token pair. Otherwise, the user must re-authorise your application."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["400"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_request"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when requesting a new token.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Grant type: Any",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["grant_type"]}," parameter is missing from the request body.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": Include ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["grant_type"]}," in the request body. Valid values are ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_credentials"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["authorization_code"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["registration_code"]},", and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["refresh_token"]},"."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_client"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when requesting a new token.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Grant type: Any",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": Client authentication failed. The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_id"]}," or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_secret"]}," in the Basic Authentication header is incorrect.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": Verify your ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_id"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_secret"]},". Retrieve the current values from the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developer.wise.com"},"children":["Developer Hub"]},". If you recently rotated your client secret, ensure you are using the active secret."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_grant"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when requesting a new token.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Grant type: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["registration_code"]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": The registration code is invalid, or the user has reclaimed their Wise account.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": If the user reclaimed their account, the registration code is permanently invalidated. Use the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["refresh_token"]}," grant if you have a valid refresh token. Otherwise, direct the user through the authorisation code flow or contact the Wise support team for assistance."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["401"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["invalid_token"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Occurs when the bearer token in the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Authorization"]}," header is invalid.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},"Token type: Client credentials token, user access token",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cause"]},": The token is expired, was never valid, has been revoked, or was invalidated when a newer token was issued.",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Solution"]},": Request a new token. For client credentials tokens, make a new ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["POST /oauth/token"]}," request with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["grant_type=client_credentials"]},". For user access tokens, use your refresh token."]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"contacting-support","__idx":7},"children":["Contacting support"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you've worked through the solutions above and are still experiencing issues, contact ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"mailto:api@wise.com"},"children":["api@wise.com"]}," with the following information:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["x-trace-id"]}]}," from the error response headers."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["environment"]}," (production or sandbox)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["grant type"]}," you are using (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_credentials"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["authorization_code"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["registration_code"]},", or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["refresh_token"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["HTTP status code"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["full error response body"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Timestamps"]}," of the failing requests."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Your ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["client ID"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"rotating-your-client-secret","__idx":8},"children":["Rotating your client secret"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your client credentials are made up of your Wise-issued ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_id"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_secret"]},", which do not have any set expiration or rotation requirement. However, you can revoke and rotate your ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_secret"]}," in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://wise.com/developer-hub"},"children":["Developer Hub"]}," should you suspect a security breach or your company security policy requires regular rotation."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To rotate your client secret:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Log into ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://wise.com/developer-hub"},"children":["Developer Hub"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication → Credentials"]}," section."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Rotate Secret"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter your password and 2FA code when prompted."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy the new secret and store it in a secure place, then click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Done"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["At this point, both your prior and new secret are active. This allows you test that requests using the new secret work as expected."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once confirmed the new secret works and the old secret is no longer being used, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Complete Rotation"]},". This will promote your new secret and revoke the old one. Any tokens generated using your prior ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["client_secret"]}," remain unaffected until you use the new secret to generate new tokens."]}]},"headings":[{"value":"OAuth 2.0 Setup","id":"oauth-20-setup","depth":1},{"value":"Token lifecycle","id":"token-lifecycle","depth":2},{"value":"Token management strategy","id":"token-management-strategy","depth":3},{"value":"Token invalidation behaviours","id":"token-invalidation-behaviours","depth":3},{"value":"User access tokens","id":"user-access-tokens","depth":4},{"value":"Refresh tokens","id":"refresh-tokens","depth":4},{"value":"Token-related errors","id":"token-related-errors","depth":3},{"value":"Contacting support","id":"contacting-support","depth":3},{"value":"Rotating your client secret","id":"rotating-your-client-secret","depth":2}],"frontmatter":{"seo":{"description":"Initial setup and management details for OAuth 2.0 with the Wise Platform API.","title":"OAuth 2.0 Setup"}},"lastModified":"2026-07-16T16:31:51.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/developer/auth-and-security/oauth-2-setup","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}