search

POSTOAuth Token API

Use Case

This API is used to get new JWT tokens by passing either authorization code or refresh token in the request. This is supported using following values in the grant_type parameter:

  • authorization_code - This grant type is used to get a new Refresh token and SSO token (also known as access token for a paytm user)
  • refresh_token - This grant type is used to get a new SSO token for a paytm user by passing the refresh token in the request

Header

ATTRIBUTRE DESCRIPTION

Authorization

string
mandatory

This is a base64 encoded string of “clientId:clientSecret”

Request Attributes

Content Type : JSON

Body

AttributeDescription
grantType
string
mandatory

Grant type for API

Possible Values: authorization_code, refresh_token

code
string
conditional

The authorization code received from in Custom UI SDK.
Note: It becomes mandatory in case grantType value is send as authorization_code in the request.

deviceId
string
mandatory

Unique Device Id of the user’s phone
Please refer to below for its sample values.

refreshToken
string
conditional

A JWT token having longer validity and can be used to get a new access token for a paytm user

Response Attributes

API Content Type: JSON

Success Response

ATTRIBUTE DESCRIPTION

scope

string

Scope of the token received
Example: paytm, wallet

accessToken

string

Received SSO token of the user
Example:
eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..xxxxxxxxxxx.9iHTtWbCZ0I6qbn2sUnyz5siw1fqbmtEnFMFE7nSIX-yrwCkiGfAC6QmPr9q-tw8LMPOh5-3UXRbpeVZEupQd3wNyaArWybRX2HAxJDRD8mxJ_wxzJM6GZ1ov4O3EIsx2Y_Zr0aHCd3VbnTjRUnlVdxXJPFG8QZs0b_2TVdoAX3_QjZS8_dwcmIWoH8ebDzOIs7MJacETfMtyFGAo8Xc0LjznToUWvTsTbIXQoF1yB0.1fZFAYJVsY61BTv2htLcXQ8800

refreshToken

string

A JWT token having longer validity and can be used to get a new access token for a paytm user
Example:
eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..xxxxxxxxxxx.9iHTtWbCZ0I6qbn2sUnyz5siw1fqbmtEnFMFE7nSIX-yrwCkiGfAC6QmPr9q-tw8LMPOh5-3UXRbpeVZEupQd3wNyaArWybRX2HAxJDRD8mxJ_wxzJM6GZ1ov4O3EIsx2Y_Zr0aHCd3VbnTjRUnlVdxXJPFG8QZs0b_2TVdoAX3_QjZS8_dwcmIWoH8ebDzOIs7MJacETfMtyFGAo8Xc0LjznToUWvTsTbIXQoF1yB0.1fZFAYJVsY61BTv2htLcXQ8800
 

tokenType

string

Possible Values: BEARER

expiresIn

string

Expiry timer of the SSO token
Example: 1594011297000

Failure Response

ATTRIBUTE DESCRIPTION

error

string

This is the error corresponding to a particular error description and is returned to the merchant.
The different error codes corresponding to this API are mentioned below .

error_description

string

This parameter is the error_description which contains information about the failure result.

Note: If Authorization header is incorrect then the response will not come and you will face HTTP Status code "401"

Response Codes & Messages

ResponseCodeStatusMessage
BE1422001FAILUREscope is not refreshable
BE1422002FAILUREinvalid refresh token
BE1423001FAILURE

Depending upon the use case the result message could be one from the following list:

  • illegal parameters etc.
  • token format, not supported
BE1423003FAILUREThe grant type is not given to the client
BE1423004FAILUREAuthorization is invalid
NAFAILUREClient permission not found
 

Device Id Nomenclature

Device Suggested Nomenclature Sample Code
App - Android Android id Settings.Secure.ANDROID_ID
Ref: https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html
Example: 8c4afbfab1ae0bd4
App - iOS Vendor Id UIDevice.current.identifierForVendor?.uuidString
Example: CCB300A0-DE1B-4D48-BC7E-599E453B8DD4
Web User Agent Id associated with cookie
Example: 123e4567-e89b-12d3-a456-426614174000
Staging
Production
https://accounts-uat.paytm.com/oauth2/v3/token/sv1copy icon
REQUEST
RESPONSE
CURL
JAVA
NODE
PHP
PYTHON
DOTNET
curl -X POST 'https://accounts-uat.paytm.com/oauth2/v3/token/sv1/' \
--header 'Authorization: Basic {BASE64_ENCODED_CLIENT_ID_AND_CLIENT_SECRET}' \
--header 'Content-Type: application/json' \
--data '{
    "grantType": "authorization_code",
    "code": "999e3877-97c1-XXXX-b19d-6c8787983300",
    "deviceId": "Device123"
}'
copy icon