OAuth2
The Airwallex OAuth 2.0 API allows your applications to access other Airwallex clients' resources on behalf of the client by implementing the OAuth 2.0 protocol . Airwallex currently supports the authorization code grant type using the standard authorization code flow and the Proof Key for Code Exchange (PKCE) extension .
Airwallex OAuth 2.0 API consists of two endpoints:
- An authorization endpoint for obtaining the
authorization_code. - A token endpoint for exchanging the
authorization_codeorrefresh_tokenfor an access token.
Once an access token is obtained, you may call the Airwallex APIs on behalf of the client by setting the Authorization header in every API request (e.g. Authorization: Bearer <access token>). Only the APIs corresponding to the scopes set in the authorization request will be allowed access. To use the Airwallex OAuth 2.0 API, you will need to register your application by contacting [email protected]. The client_id and client_secret are issued upon successful registration.
GET /oauth/authorizePOST /oauth/token
Obtain an access and refresh token
POST /oauth/token
Obtain an access token and refresh token pair. The grant_type parameter determines which flow to use:
authorization_code: Use this after the user completes the authorization flow. Pass the authorization code you received to obtain your first access token and refresh token. Store the refresh token securely for later use.
refresh_token: Use this when your access token has expired or is about to expire. Pass the latest refresh token to obtain a new access token and refresh token pair.
Refresh token handling
Each successful refresh request returns a new access token and a new refresh token. Only the latest refresh token is valid for normal use; the previous one must not be used for normal refresh requests. Concurrent refresh requests for the same user or session are not supported.
For error recovery, the previous refresh token may be accepted for up to 1 minute after the new refresh token is issued, only for cases where the new refresh token was not saved successfully. During this window, using the previous refresh token returns the same new token pair and does not rotate the refresh token again.
Refresh tokens expire after a period indicated by refresh_token_expires_in. They must be used at least once within that window; each use resets the expiry. If a refresh token is lost or expired, the user must re-authorize your application.
Returns an empty JSON object
The access token issued by Airwallex. It is used for authorizing an Airwallex API request.
The unique identifier of the authorized Airwallex account. This is useful to identify the associated account in the webhook events.
The lifetime of the access token since it was generated (in seconds).
The ID of the authorized Airwallex organization. Only returned when Spend or Billing scopes are authorized. This is useful to identify the associated organization in the webhook events.
The token that you can use to obtain a new access token.
The lifetime of the refresh token since it was generated (in seconds).
The authorized scopes of the access token.
The type of the token issued. Value must be bearer.
| Error status | Description |
|---|---|
| 400 | Some parameters were invalid, as specified by Errors. |
| 401 | Client authentication failed |
| 429 | Too many requests |
| 500 | The server encountered an unexpected condition that prevented it from fulfilling the request. |
$curl --request POST \> --url 'https://api-demo.airwallex.com/oauth/token' \> --header 'Authorization: Basic YXBwaWRfYzRmN2UyYTFiOGQzZjZlOTpSZnQzeUtwWHZROG1Od0xzNkJjWmpBMmhVZEVvN0d4SQ==' \> --header 'Content-Type: application/x-www-form-urlencoded' \> --data-urlencode 'grant_type=authorization_code' \> --data-urlencode 'code=SplxlOBeZQQYbYS6WxSbIA' \> --data-urlencode 'redirect_uri=https://example.com/callback' \> --data-urlencode 'code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r'
1{2 "token_type": "bearer",3 "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc...",4 "expires_in": 300,5 "refresh_token": "8xnR-quBvNkLwP5tdmOA9yMXpJ3zTrjF",6 "refresh_token_expires_in": 7776000,7 "scope": "balance:read transfer:write",8 "account_id": "acct_d8e9f0a1b2c3d4e5f6a7b8c9",9 "org_id": "org_a1b2c3d4e5f6a7b8c9d0e1f2"10}
Errors
If the authorization request failed due to invalid redirect_uri or client_id, Airwallex will display an error page instead of redirecting the user back to your application, and you will not receive an authorization response in this case.
For all other unsuccessful cases, Airwallex server informs the application by adding the following error parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format.
If the token exchange request failed, Airwallex will return an HTTP status code defined in the API spec, along the following error parameters in the response:
The error code. Refer to the Error Codes table for all possible values.
Human-readable text providing additional information, used to assist the client developer in understanding the error that occurred
A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error
| Error codes | |
|---|---|
| access_denied | The account owner denied the request. |
| invalid_request | The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating your application, or is otherwise malformed. |
| invalid_client | Client authentication failed |
| invalid_grant | The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another application. |
| unauthorized_client | Your application is not authorized to use this authorization grant type. |
| unsupported_grant_type | The authorization grant type is not supported. |
| unsupported_response_type | The server does not support obtaining an access token using this method. |
| invalid_scope | The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. |
| server_error | The server encountered an unexpected condition that prevented it from fulfilling the request. |
| temporarily_unavailable | The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. |
1{2 "error": "invalid_request",3 "error_description": "OAuth 2.0 Parameter: client_id",4 "error_uri": "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1"5}