Request an OAC access token
An OAC (Organisation Access Credentials) token authenticates your calls to Fintecture's organisation management endpoints — creating and managing organisations, companies, users and applications. It uses the OAuth 2.0 client credentials flow with granular scopes, so each token carries only the permissions you request.
BetaOAC tokens and all related endpoints are currently in beta and available only to selected clients.
Production requests must be signedTo use the Fintecture API in the production environment, all HTTP requests must be signed using the HTTP Signature system. This ensures the authenticity and integrity of every request.
Prerequisites
Before generating an OAC token, ensure that Fintecture has created the following on your behalf:
- ROOT Organisation Node — the top-level organisation structure
- OAC credentials — contains the
organisation_node_idthat will be present in OAC tokens
From the OAC credentials provided by Fintecture, you will need:
client_id— a string prefixed withoac_followed by a UUID (e.g.oac_550e8400-e29b-41d4-a716-446655440000)client_secret— a plain UUID (e.g.550e8400-e29b-41d4-a716-446655440000)
Contact Fintecture to request their creation if you don't have them yet.
Scopes
OAC tokens support the following scopes for organisation management:
| Scope | Allows |
|---|---|
organisations:read | Read organisation structure |
organisations:write | Modify organisation structure |
companies:read | Read company information |
companies:write | Create/modify companies |
users:read | Read user information |
users:write | Create/modify users |
applications:read | Read application configurations |
applications:write | Create/modify applications |
Request multiple scopes in a single token by separating them with spaces in the request body — and request only the scopes you actually need.
1. Build the Authorization header
Concatenate your OAC credentials with a colon and Base64-encode the result:
echo -n "your_client_id:your_client_secret" | base64The header then looks like:
Authorization: Basic eW91cl9jbGllbnRfaWQ6eW91cl9jbGllbnRfc2VjcmV02. Request the token
Call POST /oauth/accesstoken with a form-encoded body (grant_type and scope — no app_id for OAC):
curl -X POST "https://api.sandbox.fintecture.com/oauth/accesstoken" \
-H "Authorization: Basic $(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64 | tr -d '\n')" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
--data-urlencode "scope=organisations:read organisations:write"const basic = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64');
const response = await fetch('https://api.sandbox.fintecture.com/oauth/accesstoken', {
method: 'POST',
headers: {
'Authorization': `Basic ${basic}`,
'Content-Type': 'application/x-www-form-urlencoded',
},
body: new URLSearchParams({
grant_type: 'client_credentials',
scope: 'organisations:read organisations:write',
}),
});
const { access_token, refresh_token, expires_in } = await response.json();import base64
import requests
basic = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
response = requests.post(
"https://api.sandbox.fintecture.com/oauth/accesstoken",
headers={"Authorization": f"Basic {basic}"},
data={
"grant_type": "client_credentials",
"scope": "organisations:read organisations:write",
},
)
response.raise_for_status()
tokens = response.json()
Sandbox vs productionThe examples above target the sandbox. For production, use
https://api.fintecture.com— and remember that each environment has its own credentials.
3. Read the response
{
"access_token": "eyJh...",
"type": "oac_token",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "eyJhb...doQ",
"scope": "organisations:read organisations:write"
}| Field | Description |
|---|---|
access_token | The token to send on every organisation management call |
type | Always oac_token |
token_type | Always Bearer |
expires_in | Remaining validity, in seconds (default: 3600) |
refresh_token | Store it securely — used to get new access tokens |
scope | The permissions actually granted to this token |
4. Use the token
Send the token in the Authorization header of every organisation management endpoint:
Authorization: Bearer eyJh...5. Renew with the refresh token
Track expires_in and, before the access token expires, request a new one using the refresh_token:
curl -X POST "https://api.sandbox.fintecture.com/oauth/refreshtoken" \
-H "Authorization: Basic $(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64 | tr -d '\n')" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "refresh_token=$REFRESH_TOKEN"Troubleshooting
| Status | Most likely cause | Fix |
|---|---|---|
400 bad_request | Missing/invalid grant_type or scope, or body not form-encoded | Send Content-Type: application/x-www-form-urlencoded; separate multiple scopes with spaces |
401 unauthorized | Wrong client_id:client_secret, broken Base64, or credentials from the other environment | Re-encode the header; check you're using the credentials of the target environment |
403 forbidden | Your account is not part of the OAC beta, or the requested scope is not granted to your credentials | Contact Fintecture to check your OAC access and granted scopes |
Every error response contains a log_id — include it when you contact support so we can trace the exact call.