POST
/
v1
/
oauth
/
token
curl --request POST \
  --url https://api.bolt.com/v1/oauth/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'X-API-Key: <api-key>' \
  --data client_id=PUBLISHABLE_KEY_PLACEHOLDER \
  --data client_secret=API_KEY_PLACEHOLDER \
  --data code=AUTH_CODE_PLACEHOLDER \
  --data grant_type=authorization_code \
  --data 'scope=bolt.account.manage+openid'
{
  "access_token": "$ACCESS_TOKEN",
  "expires_in": 3600,
  "id_token": "$ID_TOKEN",
  "refresh_token": "$REFRESH_TOKEN",
  "refresh_token_scope": "bolt.account.view",
  "scope": "bolt.account.manage",
  "token_type": "bearer"
}

Authorizations

X-API-Key
string
header
required

Admins and Developers can obtain their Bolt API key from the Bolt Merchant Dashboard.

Headers

X-Publishable-Key
string

The publicly viewable identifier used to identify a merchant division. This key is found in the Developer > API section of the Bolt Merchant Dashboard [RECOMMENDED].

Body

application/x-www-form-urlencoded
client_id
string
required

Merchant publishable key which can be found in the merchant dashboard

client_secret
string
required

Your Bolt API Key.

code
string
required

Fetched value using OTP value from the Authorization Modal.

grant_type
enum<string>
required

The type of OAuth 2.0 grant being utilized.

The value will always be authorization_code when exchanging an authorization code for an access token.

Available options:
authorization_code
scope
enum<string>
required

The scope issued to the merchant when receiving an authorization code. Options include bolt.account.manage, bolt.account.view, openid. You can find more information on these options in our OAuth scope documentation.

Available options:
bolt.account.manage,
bolt.account.view,
openid
state
string

A randomly generated string issued to the merchant when receiving an authorization code used to prevent CSRF attacks

Response

OAuth token response.

access_token
string

An access token you can use to make requests on behalf of a Bolt Account.

expires_in
integer

Access token’s expiration in seconds.

id_token
string

A JWT token issued when the request includes the scope open_id.

refresh_token
string

A refresh token you can use to issue a brand new access token without obtaining a new authorization code.

refresh_token_scope
string

The scope granted to the refresh token. Currently this will always be bolt.account.view.

scope
string

The scope granted to access token, depending on the scope granted to the authorization code as well as the scope parameter. Options include bolt.account.manage, bolt.account.view, openid.

token_type
string

The token_type will always be bearer.