Request an OAC access token

An OAC (Organisation Access Credentials) token authenticates your calls to Fintecture's organisation management endpoints — creating and managing organisations, companies, users and applications. It uses the OAuth 2.0 client credentials flow with granular scopes, so each token carries only the permissions you request.

🚧

Beta

OAC tokens and all related endpoints are currently in beta and available only to selected clients.

📘

Production requests must be signed

To use the Fintecture API in the production environment, all HTTP requests must be signed using the HTTP Signature system. This ensures the authenticity and integrity of every request.

Prerequisites

Before generating an OAC token, ensure that Fintecture has created the following on your behalf:

  • ROOT Organisation Node — the top-level organisation structure
  • OAC credentials — contains the organisation_node_id that will be present in OAC tokens

From the OAC credentials provided by Fintecture, you will need:

  • client_id — a string prefixed with oac_ followed by a UUID (e.g. oac_550e8400-e29b-41d4-a716-446655440000)
  • client_secret — a plain UUID (e.g. 550e8400-e29b-41d4-a716-446655440000)

Contact Fintecture to request their creation if you don't have them yet.

Scopes

OAC tokens support the following scopes for organisation management:

ScopeAllows
organisations:readRead organisation structure
organisations:writeModify organisation structure
companies:readRead company information
companies:writeCreate/modify companies
users:readRead user information
users:writeCreate/modify users
applications:readRead application configurations
applications:writeCreate/modify applications

Request multiple scopes in a single token by separating them with spaces in the request body — and request only the scopes you actually need.

1. Build the Authorization header

Concatenate your OAC credentials with a colon and Base64-encode the result:

echo -n "your_client_id:your_client_secret" | base64

The header then looks like:

Authorization: Basic eW91cl9jbGllbnRfaWQ6eW91cl9jbGllbnRfc2VjcmV0

2. Request the token

Call POST /oauth/accesstoken with a form-encoded body (grant_type and scope — no app_id for OAC):

curl -X POST "https://api.sandbox.fintecture.com/oauth/accesstoken" \
  -H "Authorization: Basic $(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64 | tr -d '\n')" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  --data-urlencode "scope=organisations:read organisations:write"
const basic = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64');

const response = await fetch('https://api.sandbox.fintecture.com/oauth/accesstoken', {
  method: 'POST',
  headers: {
    'Authorization': `Basic ${basic}`,
    'Content-Type': 'application/x-www-form-urlencoded',
  },
  body: new URLSearchParams({
    grant_type: 'client_credentials',
    scope: 'organisations:read organisations:write',
  }),
});

const { access_token, refresh_token, expires_in } = await response.json();
import base64

import requests

basic = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()

response = requests.post(
    "https://api.sandbox.fintecture.com/oauth/accesstoken",
    headers={"Authorization": f"Basic {basic}"},
    data={
        "grant_type": "client_credentials",
        "scope": "organisations:read organisations:write",
    },
)
response.raise_for_status()
tokens = response.json()
📘

Sandbox vs production

The examples above target the sandbox. For production, use https://api.fintecture.com — and remember that each environment has its own credentials.

3. Read the response

{
  "access_token": "eyJh...",
  "type": "oac_token",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "eyJhb...doQ",
  "scope": "organisations:read organisations:write"
}
FieldDescription
access_tokenThe token to send on every organisation management call
typeAlways oac_token
token_typeAlways Bearer
expires_inRemaining validity, in seconds (default: 3600)
refresh_tokenStore it securely — used to get new access tokens
scopeThe permissions actually granted to this token

4. Use the token

Send the token in the Authorization header of every organisation management endpoint:

Authorization: Bearer eyJh...

5. Renew with the refresh token

Track expires_in and, before the access token expires, request a new one using the refresh_token:

curl -X POST "https://api.sandbox.fintecture.com/oauth/refreshtoken" \
  -H "Authorization: Basic $(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64 | tr -d '\n')" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "refresh_token=$REFRESH_TOKEN"

Troubleshooting

StatusMost likely causeFix
400 bad_requestMissing/invalid grant_type or scope, or body not form-encodedSend Content-Type: application/x-www-form-urlencoded; separate multiple scopes with spaces
401 unauthorizedWrong client_id:client_secret, broken Base64, or credentials from the other environmentRe-encode the header; check you're using the credentials of the target environment
403 forbiddenYour account is not part of the OAC beta, or the requested scope is not granted to your credentialsContact Fintecture to check your OAC access and granted scopes

Every error response contains a log_id — include it when you contact support so we can trace the exact call.