On This Page
REST API
Requesting the Access and Refresh Tokens
Use the authorization code from the redirect response to request an initial access token, as
well as a refresh token, from the
/oauth/v3/token
endpoint. While a header is
not required, we recommend including the header v-c-client-correlation-id
with a unique value for every request to the /oauth/v3/token
endpoint. For
security, all parameters must be sent in the body and use the HTTPS protocol. Do not place any
parameters in the URL. Test URL
: https://api-matest.cybersource.comProduction URL
: https://api-ma.cybersource.comSample Token Request
POST https://api-ma.cybersource.com/oauth2/v3/token Content-Type: application/x-www-form-urlencoded client_id=8l57hYffFb&grant_type=refresh_token&code=eyJraK&client_secret=yourClientSecret
Parameter Name | Value | Description |
|---|---|---|
grant_type | authorization_code | Required. Determines which type of flow the Authorization Server uses to
acquire user authorization. |
code | The authorization code received from the redirect response. | Required. The value passed in this parameter must exactly match the value
supplied by the OAuth server during the authorization step. |
client_id | The client ID obtained during client registration. | Required. Indicates the client that is making the request. |
client_secret | The client secret value obtained during client registration. | Required. You received this value when you registered your application with
Cybersource. |
Sample Response for Access Token Request
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token": "eyJraWQiOiIxMGM2MTYxNzg2MzE2ZWMzMGJjZmI5ZDcyZGU4MzFjOSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiI5YTM0MWVkZC0zY2ViLTRiMzYtYjQyMy05MDg4ZTliYWQ1YTAiLCJzY29wZXMiOlsiYWx0ZXJuYXRlX3BheW1lbnRzIiwiYmFua190cmFuc2ZlcnMiLCJib2FyZGluZyIsImNvbW1lcmNlX3NlcnZpY2VzIiwiZnJhdWRfbWFuYWdlbWVudCIsImludm9pY2luZyIsImtleXMiLCJtYW5hZ2Vfc2VjdXJlX2FjY2VwdGFuY2UiLCJwYXltZW50c193aXRoX3N0YW5kYWxvbmVfY3JlZGl0IiwicGF5bWVudHNfd2l0aG91dF9zdGFuZGFsb25lX2NyZWRpdCIsInBheW91dHMiLCJyZXBvcnRpbmciLCJ0b2tlbml6YXRpb25fc2VydmljZXMiLCJ0cmFuc2FjdGlvbnMiLCJ1c2VycyJdLCJpYXQiOjE2MTk1MTg3MzY4OTUsImFzc29jaWF0ZWRfaWQiOiJzYW1wbGVwYXJ0bmVyIiwiY2xpZW50X2lkIjoidjZUSkgxSXFoTSIsIm1lcmNoYW50X2lkIjoicmFodWxyYW1hIiwiZXhwaXJlc19pbiI6MTYxOTUxOTYzNjg5NSwiZ3JhbnRfdHlwZSI6ImF1dGhvcml6YXRpb25fY29kZSIsImdyYW50X3RpbWUiOiIyMDIxMDQyNzAzMTgifQ.jhjH9_xxleoNKgidD9oduVuUqDGov2X622gzh99_QeocFc-7KsndsdaaUqglRpfY8juCbtRIe8RhLa5_hIoKF3ZU3XJ4WnQeAXdbznjf0SfK2SHpih-Tl2u_UfslQ7WjJM3OVDRcV3udMKfe6ACX0_uH81vRobRK43kk1RjrKuQSWz6KRRmSGrHJWl2sbo0gdEQEZpnGQwVcJuGKYalOk6Xqvglu2nD7iNyZpaaXOJHVDqxNdQdz8vfkofBPFVcTMjx8cHge3gDOFWDce5-TIU2EGdD_nUUfh8OfXaMrvv6nBriKzG96j7SQm3BXfwfm6SzSIyBpiti3sgwGJs-vGA", "token_type": "bearer", "refresh_token": "eyJraWQiOiIxMGM2MTYxNzg2MzE2ZWMzMGJjZmI5ZDcyZGU4MzFjOSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiJmMTA2YjU1Yy00MjA1LTRjZDctOTkzNy04MzM3YTdjNmZmYWMiLCJzY29wZXMiOlsiYWx0ZXJuYXRlX3BheW1lbnRzIiwiYmFua190cmFuc2ZlcnMiLCJib2FyZGluZyIsImNvbW1lcmNlX3NlcnZpY2VzIiwiZnJhdWRfbWFuYWdlbWVudCIsImludm9pY2luZyIsImtleXMiLCJtYW5hZ2Vfc2VjdXJlX2FjY2VwdGFuY2UiLCJwYXltZW50c193aXRoX3N0YW5kYWxvbmVfY3JlZGl0IiwicGF5bWVudHNfd2l0aG91dF9zdGFuZGFsb25lX2NyZWRpdCIsInBheW91dHMiLCJyZXBvcnRpbmciLCJ0b2tlbml6YXRpb25fc2VydmljZXMiLCJ0cmFuc2FjdGlvbnMiLCJ1c2VycyJdLCJpYXQiOjE2MTk1MTg3MzY4ODksImFzc29jaWF0ZWRfaWQiOiJzYW1wbGVwYXJ0bmVyIiwiY2xpZW50X2lkIjoidjZUSkgxSXFoTSIsIm1lcmNoYW50X2lkIjoicmFodWxyYW1hIiwiZXhwaXJlc19pbiI6MTY1MTA1NDczNjg4OCwidG9rZW5fdHlwZSI6InJlZnJlc2hfdG9rZW4iLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwiZ3JhbnRfdGltZSI6IjIwMjEwNDI3MDMxOCJ9.Sj5y5ldpM4-ie5YT6_ARu6H0Ikd7jOhNvKsWgDB5NTxHvbyS5ciMidAIvxoxOXS_0vPpf1u865w8Qu8yT82iHHbNxyjjBXy03wbSutJBen_5roFUi6XE7KFgZPKL2hixmRVgivTrA8uAZ798Griv0PUOPnm6y6AzmK1ffmwdSNejKBdvz3_38TLLJk_0ylkRpD9akM8bSpDMSJJLNd3_eER5jdOQWRlqgaC030crrksS7o-vFJxXsK3MN0-_qnVqV5-l-8vhjJ0VUzg66eUgIyphIzU2c0M2J9d5tJVncHqOFz8N8HUZ800xKxMKH1MlB7F3L8alJJ04Jk6edT0KXA", "expires_in": 899, "scope": "transactions", "refresh_token_expires_in": 31535999, "client_status": "active" }
Error Code | Description |
|---|---|
access_denied | The resource owner or authorization server denied the request. |
server_error | The authorization server encountered an unexpected condition that prevented it
from fulfilling the request. This error code is needed because a 500 Internal Server
Error HTTP status code cannot be returned to the client by an HTTP redirect. |
invalid_scope | The requested scope is invalid, unknown, or malformed. |
invalid_client | The requested client ID is invalid, unknown, or malformed. |
invalid_request | The request is missing a required parameter, includes an invalid parameter
value, includes a parameter more than once, or is otherwise malformed. |
unauthorized_client | The client is not authorized to request an authorization code. |
invalid_redirect_uri | The requested redirect URI is invalid, unknown, or malformed. |
client_not_found | The requested client ID is not found in the system. |
invalid_client_type | The requested client ID is registered with an invalid client type (only
confidential clients are supported). |
merchant_not_active | The authorization could not be completed because the merchant's Cybersource
account is inactive. |
client_not_active | The authorization could not be completed because your Cybersource Partner
Account is not currently listed as active. Contact customer support for
assistance. |