Ask Moov Beta
Generative AI is experimental and can make mistakes.
Guides Use cases API Changelog
  1. API reference
  2. Authentication
  3. Access tokens

Create an access token

Create or refresh an access token.
POST
/oauth2/token
cURL TypeScript PHP Java Python Ruby .NET 
curl -X POST "https://api.moov.io/oauth2/token" \
  -H "Authorization: Bearer {token}" \
  -H "X-Moov-Version: v2026.01.00" \
  -d '{
  "grant_type": "client_credentials"
}'
import { Moov } from "@moovio/sdk";

const moov = new Moov({
  security: {
    username: "",
    password: "",
  },
});

async function run() {
  const result = await moov.authentication.createAccessToken({
    grantType: "client_credentials",
    clientId: "5clTR_MdVrrkgxw2",
    clientSecret: "dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-",
    scope: "/accounts.read /accounts.write",
    refreshToken: "eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...",
  });

  console.log(result);
}

run();
declare(strict_types=1);

require 'vendor/autoload.php';

use Moov\MoovPhp;
use Moov\MoovPhp\Models\Components;

$sdk = MoovPhp\Moov::builder()
    ->setSecurity(
        new Components\Security(
            username: '',
            password: '',
        )
    )
    ->build();

$request = new Components\AuthTokenRequest(
    grantType: Components\GrantType::ClientCredentials,
    clientId: '5clTR_MdVrrkgxw2',
    clientSecret: 'dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-',
    scope: '/accounts.read /accounts.write',
    refreshToken: 'eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...',
);

$response = $sdk->authentication->createToken(
    request: $request
);

if ($response->authToken !== null) {
    // handle response
}
package hello.world;

import io.moov.sdk.Moov;
import io.moov.sdk.models.components.*;
import io.moov.sdk.models.errors.AuthTokenRequestError;
import io.moov.sdk.models.errors.GenericError;
import io.moov.sdk.models.operations.CreateAccessTokenResponse;
import java.lang.Exception;

public class Application {

    public static void main(String[] args) throws GenericError, AuthTokenRequestError, Exception {

        Moov sdk = Moov.builder()
                .security(Security.builder()
                    .username("")
                    .password("")
                    .build())
            .build();

        AuthTokenRequest req = AuthTokenRequest.builder()
                .grantType(GrantType.CLIENT_CREDENTIALS)
                .clientId("5clTR_MdVrrkgxw2")
                .clientSecret("dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-")
                .scope("/accounts.read /accounts.write")
                .refreshToken("eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...")
                .build();

        CreateAccessTokenResponse res = sdk.authentication().createAccessToken()
                .request(req)
                .call();

        if (res.authToken().isPresent()) {
            System.out.println(res.authToken().get());
        }
    }
}
from moovio_sdk import Moov
from moovio_sdk.models import components


with Moov(
    security=components.Security(
        username="",
        password="",
    ),
) as moov:

    res = moov.authentication.create_access_token(grant_type=components.GrantType.CLIENT_CREDENTIALS, client_id="5clTR_MdVrrkgxw2", client_secret="dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-", scope="/accounts.read /accounts.write", refresh_token="eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...")

    # Handle response
    print(res)
require 'moov_ruby'

Models = ::Moov::Models
s = ::Moov::Client.new(
  security: Models::Components::Security.new(
    username: '',
    password: ''
  )
)

req = Models::Components::AuthTokenRequest.new(
  grant_type: Models::Components::GrantType::CLIENT_CREDENTIALS,
  client_id: '5clTR_MdVrrkgxw2',
  client_secret: 'dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-',
  scope: '/accounts.read /accounts.write',
  refresh_token: 'eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...'
)
res = s.authentication.create_access_token(request: req)

unless res.auth_token.nil?
  # handle response
end
using Moov.Sdk;
using Moov.Sdk.Models.Components;

var sdk = new MoovClient(security: new Security() {
    Username = "",
    Password = "",
});

AuthTokenRequest req = new AuthTokenRequest() {
    GrantType = GrantType.ClientCredentials,
    ClientId = "5clTR_MdVrrkgxw2",
    ClientSecret = "dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-",
    Scope = "/accounts.read /accounts.write",
    RefreshToken = "eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...",
};

var res = await sdk.Authentication.CreateAccessTokenAsync(req);

// handle response
200 400 422 429 500 504
The request completed successfully.
application/json
Example
{
  "token_type": "Bearer",
  "access_token": "eyJhbGciOiJFZERTQSIsImN0eSI6IkpXVCIsImtpZCI6IkR...",
  "refresh_token": "eyJhbGc0eSI6TQSIsImN0kpXVCIsImtp6IkpXVsImtpZC0a...",
  "expires_in": 1736964352,
  "scope": "/accounts.read /accounts.write"
}

Response headers

x-request-id

string required
A unique identifier used to trace requests.
The server could not understand the request due to invalid syntax.
application/json
Example
{
  "error": "string"
}

Response headers

x-request-id

string required
A unique identifier used to trace requests.
The request was well-formed, but the contents failed validation. Check the request for missing or invalid fields.
application/json
Example
{
  "scope": "string",
  "refresh_token": "string"
}

Response headers

x-request-id

string required
A unique identifier used to trace requests.
Request was refused due to rate limiting.

Response headers

x-request-id

string required
A unique identifier used to trace requests.
The request failed due to an unexpected error.

Response headers

x-request-id

string required
A unique identifier used to trace requests.
The request failed because a downstream service failed to respond.

Response headers

x-request-id

string required
A unique identifier used to trace requests.

Headers

X-Moov-Version

string
Set this header to v2026.01.00 to use the API described in this specification. When omitted, the server defaults to v2024.01.00, which may not match the behavior documented here.
Possible values: v2026.01.00

Body

application/json

grant_type

string<enum> required

The type of grant being requested.

  • client_credentials: A grant type used by clients to obtain an access token
  • refresh_token: A grant type used by clients to obtain a new access token using a refresh token
Possible values: client_credentials, refresh_token

client_id

string
Client ID can be provided here in the body, or as the Username in HTTP Basic Auth.

client_secret

string
Client secret can be provided here in the body, or as the Password in HTTP Basic Auth.

refresh_token

string
The refresh_token returned alongside the access token being refreshed. Required when grant_type is refresh_token.

scope

string
A space delimited list of scopes. Required when grant_type is client_credentials.

Response

application/json

access_token

string <=4096 characters required
A value passed to the authorization server to gain access to the system.

expires_in

integer<int32> required
Unix timestamp indicating when this token expires.

refresh_token

string <=4096 characters required
A value passed to the authorization server to obtain a new access token.

scope

string required
A space-delimited list of scopes that are allowed.

token_type

string<enum> required
An RFC 6750 token type.
Possible values: Bearer