Get an access token
Exchanges a client ID and client secret for a short-lived Bearer access token using the OAuth2 client-credentials flow. Designed for server-to-server use: the credentials and the returned token stay on your backend. Send the returned `access_token` in the `Authorization` header as `Bearer <access_token>` on subsequent API calls. See the [OAuth authentication guide](/developers/oauth-authentication) for the full flow.
Request
This endpoint expects an object.
clientId
The client ID issued for your integration when credentials are provisioned in the Payabli Portal.
clientSecret
The client secret issued alongside the client ID. Keep it on your backend and never expose it in client-side code.
state
An optional opaque value echoed back in the response. Use it to correlate the request with its response.
permissions
An optional array of permission IDs that scopes the token to a subset of the credential's granted permissions. When omitted, the token carries all permissions granted to the credential.
Response
Access token issued.
token_type
The token type. Send the access token in the Authorization header as Bearer <access_token>.
access_token
The access token to send on subsequent API calls.
expires_in
The token's lifetime in seconds. Request a new token when it expires.
state
The opaque value sent in the request, echoed back. Present only when you send state in the request.
Errors
400
Bad Request Error