Request the Access and Refresh Tokens

Use the authorization code from the redirect response to request an initial access token, as well as a refresh token, from the

/oauth/v3/token

endpoint. While a header is not required, we recommend including the header

v-c-client-correlation-id

with a unique value for every request to the

/oauth/v3/token

endpoint. For security, all parameters must be sent in the body and use the HTTPS protocol. Do not place any parameters in the URL.

Test URL:

api-matest.smartpayfuse.barclaycard

Production URL:

api-ma.smartpayfuse.barclaycard

Sample Token Request

POST https://api-ma.smartpayfuse.barclaycard/oauth2/v3/token
				Content-Type: application/x-www-form-urlencoded
				
				client_id=8l57hYffFb&grant_type=refresh_token&code=eyJraK&client_secret=yourClientSecret

Access Token Request Parameters
Parameter Name	Value	Description
grant_type	Set to authorization_code .	Required. Determines which type of flow the Authorization Server uses to acquire user authorization.
code	The authorization code received from the redirect response.	Required. The value passed in this parameter must exactly match the value supplied by the OAuth server during the authorization step.
client_id	The client ID obtained during client registration.	Required. Indicates the client that is making the request.
client_secret	The client secret value obtained during client registration.	Required. You received this value when you registered your application with `Barclays`.

Sample Response for Access Token Request

/1.1 200 OK 

Content-Type: application/json;charset=UTF-8 

Cache-Control: no-store 

Pragma: no-cache 

{ 

"access_token": "eyJraWQiOiIxMGM2MTYxNzg2MzE2ZWMzMGJjZmI5ZDcyZGU4MzFjOSIsImFsZyI6IlJTMjU2In0.
 eyJqdGkiOiI5YTM0MWVkZC0zY2ViLTRiMzYtYjQyMy05MDg4ZTliYWQ1YTAiLCJzY29wZXMiOlsiYWx0ZXJuYXRlX3B
 heW1lbnRzIiwiYmFua190cmFuc2ZlcnMiLCJib2FyZGluZyIsImNvbW1lcmNlX3NlcnZpY2VzIiwiZnJhdWRfbWFuYW
 dlbWVudCIsImludm9pY2luZyIsImtleXMiLCJtYW5hZ2Vfc2VjdXJlX2FjY2VwdGFuY2UiLCJwYXltZW50c193aXRoX
 3N0YW5kYWxvbmVfY3JlZGl0IiwicGF5bWVudHNfd2l0aG91dF9zdGFuZGFsb25lX2NyZWRpdCIsInBheW91dHMiLCJy
 ZXBvcnRpbmciLCJ0b2tlbml6YXRpb25fc2VydmljZXMiLCJ0cmFuc2FjdGlvbnMiLCJ1c2VycyJdLCJpYXQiOjE2MTk
 1MTg3MzY4OTUsImFzc29jaWF0ZWRfaWQiOiJzYW1wbGVwYXJ0bmVyIiwiY2xpZW50X2lkIjoidjZUSkgxSXFoTSIsIm1
 lcmNoYW50X2lkIjoicmFodWxyYW1hIiwiZXhwaXJlc19pbiI6MTYxOTUxOTYzNjg5NSwiZ3JhbnRfdHlwZSI6ImF1dGh
 vcml6YXRpb25fY29kZSIsImdyYW50X3RpbWUiOiIyMDIxMDQyNzAzMTgifQ.jhjH9_xxleoNKgidD9oduVuUqDGov2X6
 22gzh99_QeocFc-7KsndsdaaUqglRpfY8juCbtRIe8RhLa5_hIoKF3ZU3XJ4WnQeAXdbznjf0SfK2SHpih-Tl2u_Ufsl
 Q7WjJM3OVDRcV3udMKfe6ACX0_uH81vRobRK43kk1RjrKuQSWz6KRRmSGrHJWl2sbo0gdEQEZpnGQwVcJuGKYalOk6Xq
 vglu2nD7iNyZpaaXOJHVDqxNdQdz8vfkofBPFVcTMjx8cHge3gDOFWDce5-TIU2EGdD_nUUfh8OfXaMrvv6nBriKzG96
 j7SQm3BXfwfm6SzSIyBpiti3sgwGJs-vGA", 

"token_type": "bearer", 

"refresh_token": "eyJraWQiOiIxMGM2MTYxNzg2MzE2ZWMzMGJjZmI5ZDcyZGU4MzFjOSIsImFsZyI6IlJTMjU2In0.
 eyJqdGkiOiJmMTA2YjU1Yy00MjA1LTRjZDctOTkzNy04MzM3YTdjNmZmYWMiLCJzY29wZXMiOlsiYWx0ZXJuYXRlX3Bhe
 W1lbnRzIiwiYmFua190cmFuc2ZlcnMiLCJib2FyZGluZyIsImNvbW1lcmNlX3NlcnZpY2VzIiwiZnJhdWRfbWFuYWdlbW
 VudCIsImludm9pY2luZyIsImtleXMiLCJtYW5hZ2Vfc2VjdXJlX2FjY2VwdGFuY2UiLCJwYXltZW50c193aXRoX3N0YW5
 kYWxvbmVfY3JlZGl0IiwicGF5bWVudHNfd2l0aG91dF9zdGFuZGFsb25lX2NyZWRpdCIsInBheW91dHMiLCJyZXBvcnRp
 bmciLCJ0b2tlbml6YXRpb25fc2VydmljZXMiLCJ0cmFuc2FjdGlvbnMiLCJ1c2VycyJdLCJpYXQiOjE2MTk1MTg3MzY4O
 DksImFzc29jaWF0ZWRfaWQiOiJzYW1wbGVwYXJ0bmVyIiwiY2xpZW50X2lkIjoidjZUSkgxSXFoTSIsIm1lcmNoYW50X2
 lkIjoicmFodWxyYW1hIiwiZXhwaXJlc19pbiI6MTY1MTA1NDczNjg4OCwidG9rZW5fdHlwZSI6InJlZnJlc2hfdG9rZW4
 iLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwiZ3JhbnRfdGltZSI6IjIwMjEwNDI3MDMxOCJ9.Sj5y5ld
 pM4-ie5YT6_ARu6H0Ikd7jOhNvKsWgDB5NTxHvbyS5ciMidAIvxoxOXS_0vPpf1u865w8Qu8yT82iHHbNxyjjBXy03wbS
 utJBen_5roFUi6XE7KFgZPKL2hixmRVgivTrA8uAZ798Griv0PUOPnm6y6AzmK1ffmwdSNejKBdvz3_38TLLJk_0ylkRp
 D9akM8bSpDMSJJLNd3_eER5jdOQWRlqgaC030crrksS7o-vFJxXsK3MN0-_qnVqV5-l-8vhjJ0VUzg66eUgIyphIzU2c0
 M2J9d5tJVncHqOFz8N8HUZ800xKxMKH1MlB7F3L8alJJ04Jk6edT0KXA", 

"expires_in": 899, 

"scope": "transactions", 

"refresh_token_expires_in": 31535999, 

"client_status": "active" 

}

Error Responses for Token Request
Error Code	Description
access_denied	The resource owner or authorization server denied the request.
server_error	The authorization server encountered an unexpected condition that prevented it from fulfilling the request. This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client by an HTTP redirect.
invalid_scope	The requested scope is invalid, unknown, or malformed.
invalid_client	The requested client ID is invalid, unknown, or malformed.
invalid_request	The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
unauthorized_client	The client is not authorized to request an authorization code.
invalid_redirect_uri	The requested redirect URI is invalid, unknown, or malformed.
client_not_found	The requested client ID is not found in the system.
invalid_client_type	The requested client ID is registered with an invalid client type (only confidential clients are supported).
merchant_not_active	The authorization could not be completed because the merchant's `Barclays` account is inactive.
client_not_active	The authorization could not be completed because your `Barclays` Partner Account is not currently listed as active. Contact customer support for assistance.