📍 Bolt Help / Products / Ignite 🔥 / API Implementation / Endpoints / Fetch OAuth Token
Fetch OAuth Token
Exchange the authorization code for an access token and a refresh token that enable you to access Bolt Account APIs.

Provision an access token with Bolt OAuth so your store backend can send the account data to your frontend and render a one-click checkout experience.

Overview

To access Bolt Account APIs, such as Get Account Details, Add Address, Delete Address, and any others that require an OAuth authorization type, you need to use OAuth tokens.

You must exchange the authorization code received from the login modal to retrieve these OAuth Tokens. Your store frontend will send the authorization code to your store backend and exchange it for the tokens using the OAuth Token endpoint (/oauth/token).

sequenceDiagram participant Shopper participant StoreFrontend participant StoreBackend participant ShopperAccountInfo Shopper->>StoreFrontend: Inputs OTP into login modal. Note over Shopper,StoreFrontend: OTP converted to auth code. StoreFrontend->>StoreBackend: Auth code tokenization request. Note over StoreBackend,StoreFrontend: Uses the OAuth Token endpoint. StoreBackend->>StoreFrontend: Receive access and refresh tokens. Note over StoreBackend,StoreFrontend: Initial request grant_type = authorization_code Note over StoreBackend,StoreFrontend: Subsequent requests grant_type = refresh_token StoreFrontend->>ShopperAccountInfo: Requests shopper account info. ShopperAccountInfo->>StoreFrontend: Receives shopper account info. Note over StoreFrontend,ShopperAccountInfo: Used to fill in address and payment components. StoreFrontend->>Shopper: Info populates components. Shopper->>StoreFrontend: Continues checkout.

Token Scope

Bolt issues tokens with limited scopes. A fully scoped access token is issued when the shopper logs into the login modal and you complete a new exchange of the authorization code for OAuth tokens.

For more information see our more in-depth documentation on OAuth Scopes.

Exchange Authorization Code for Tokens

Your initial call to the OAuth Token endpoint (/oauth/token) uses the authorization code granted by the user in the login modal to fetch the OAuth tokens.

Payload

In the initial request, grant_type is authorization_code.

client_id=PUBLISHABLE_KEY_PLACEHOLDER&client_secret=API_KEY_PLACEHOLDER&code=AUTH_CODE_PLACEHOLDER&grant_type=authorization_code&scope=bolt.account.manage%2Bopenid

Response

{
  "access_token": "$ACCESS_TOKEN",
  "expires_in": 3600,
  "id_token": "$ID_TOKEN",
  "refresh_token": "$REFRESH_TOKEN",
  "refresh_token_scope": "bolt.account.view",
  "scope": "bolt.account.manage",
  "token_type": "bearer"
}

TIP

Store the refresh_token for use in subsequent calls to fetch new access tokens. This enables you to skip the authorization process on subsequent calls and immediately access the Bolt Account APIs.

Utilize a Refresh Token for Expired Access Tokens

In subsequent requests to the OAuth Token endpoint (/oauth/token), use the refresh token to fetch a new access token.

INFO

Refresh tokens are used to maintain read access after the original access token has expired. The refresh token can be exchanged for a limited scope access token.

Payload

When exchanging the refresh code for a new access token, the grant_type is refresh_token.

client_id=PUBLISHABLE_KEY_PLACEHOLDER&client_secret=API_KEY_PLACEHOLDER&grant_type=refresh_token&refresh_token=REFRESH_TOKEN_PLACEHOLDER&scope=bolt.account.view

Response

{
  "access_token": "$NEW_ACCESS_TOKEN",
  "expires_in": 3600,
  "refresh_token": "$NEW_REFRESH_TOKEN",
  "refresh_token_scope": "bolt.account.view",
  "scope": "bolt.account.view",
  "token_type": "bearer"
}

Next Step

After you fetch OAuth Tokens, you will implement the [Signed In Button]({{ ref “signed-in-button.md” }}) front-end component to display a shopper’s login status and, if they’re signed in, a Logout button.