Obtain User Access Token

API consumers obtain a user access token before invoking the APIs. Once they obtain a user access token, it is sent in the API invocation requests as a header parameter for the bank to authorize and allow accessing financial information of banking customers.

  1. You can generate a user access token using the sample request given below:
    curl -X POST \
    https://<IS_HOST>:9446/oauth2/token \
    -H 'Cache-Control: no-cache' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    -d 'grant_type=authorization_code&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<CLIENT_ASSERTION>&code=4dc73435-eee5-3486-ba3b-29b49be04f21&scope=openid%20accounts&redirect_uri=https%3A%2F%2Fwso2.com'
  2. The client_assertion parameter is a JWT as explained in the Obtaining an application access token step.
  3. Make sure you update all the placeholders with the appropriate values.
    • Update the code value with the authorization code you generate in the Authorise a Consent step.
  4. The response contains a user access token.


The access tokens have an expiration period, once an access token expires, you need to regenerate it. Run the following cURL command to generate a new access token:

curl POST \
 https://<APIM_HOST>:8243/token \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -H 'cache-control: no-cache' \
 -d 'grant_type=refresh_token&refresh_token=<REFRESH_TOKEN>&client_id=4hZILATfPyXlLFqkP3Z0OBYhmDwa&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=<CLIENT_ASEERTION>'