Receiving tokens

Receiving tokens

When you send the POST request to the token endpoint, the endpoint validates the request parameters to ensure the authenticity and validity of the code. It checks factors such as the expiration of the code and whether it matches the client ID.
If the validation process is successful, the token endpoint generates and returns the tokens in the response. The response may include the following parameters:
  • access_token: represents the access token that you can use to authenticate API calls on behalf of the user. Include this token in the authorisation header of subsequent API requests.

  • expires_in: indicates the duration of the access token's validity, set to 3600 seconds (1 hour). After this time, the access token will expire, and you will need to refresh it using the refresh token if available.

  • token_type: specifies the type of token being returned, which is usually set as "Bearer". This indicates that the token follows the OAuth 2.0 Bearer Token specification.

  • refresh_token: if you have requested the "offline_access" scope during the authorisation process, the response may include a refresh token. This token can be used to refresh the access token once it has expired, ensuring continuity in API access without requiring repeated user authorisation.


    1. "access_token":"eyJhbGciOiJQUzI1NiIsImtpZCI6ImJiYTUzOWViOTVkNDQzNWE5NTUwNmI4NTdlYWNmZjhlIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2ODIzNDQwMTMsImV4cCI6MTY4MjM0NzYxMywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eWRldjA0LmFwcHJvdmFsbWF4LmNvbSIsImNsaWVudF9pZCI6IjMzOENENUUwQUJBNzQ0REI5MTE4MzhGOUY5QjA5Q0ZEIiwic3ViIjoiOTI1ODE4MDQtZjIwMi00YTg3LTkwYjEtYTRjOTY3N2I5MTQ2IiwiYXV0aF90aW1lIjoxNjgyMzMyODcyLCJpZHAiOiJBTVJlbW90ZSIsImh0dHBzOi8vd3d3LmFwcHJvdmFsbWF4LmNvbS9jb25uZWN0aW9uIjoiNGEyNTQxMDQtYjU4ZC00ZjJhLTgwNWEtNTk5ZWE4MTg0NmI5IiwianRpIjoiQjJBNEU2QjRDMkQyODk2Qjc2NUY1QTM2RUY5NzYyMzQiLCJzaWQiOiIwRTA1OTExNTUzQTBCNUEyQTYwNUFEQjBBMDlFOUYyRCIsImlhdCI6MTY4MjM0MzcxOCwic2NvcGUiOlsiaHR0cHM6Ly93d3cuYXBwcm92YWxtYXguY29tL3Njb3Blcy9wdWJsaWNfYXBpIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbImV4dGVybmFsIl19.zkoFJyfbCsVEj6HKumrVoRCkhCQ6bZCi08EwpKtpaDCg_4KX7KJZnEgc7guSdmw4pLjiD2n_z7OcI6-EvHxX5hsum0pvmcUGEJMI1nHGT8XFggeAgptQaGr2wfF7NXc6ozT pY5YEBSMhwvTGmIDr_PGcdpc7Yp7ITtkJVEAUtUMlHgkRdVlhVV4K1_lK8DSD1E3pT-_jjdkG99BGMGFMFOj7we3Ry-iacg3cZqgpzyY0aY7eLIIlPhNSOLVkVDN7kFSd1ILPY0IA-B5c2GvSYoSYQy1 AjI0ePaylxpjALjZOiF7M-hL1rCuY-UloNuFstr3AkRsyNZQOpKOVYMoA8w",
    2. "expires_in":3600,
    3. "token_type":"Bearer",
    4. "refresh_token":"C2495E877E3074027C0D232761D01B084FB264B3211588FA8932C8C01129B639",
    5. "scope":"https://www.approvalmax.com/scopes/public_api offline_access"}

Token expiry

When you receive a token, it is essential to be aware of its expiry time. Tokens have a limited validity period after which they will no longer be valid for authentication. It is crucial to keep track of these expiry times to avoid any disruptions in API access. Both the access tokens and refresh tokens can be exchanged for new tokens before their respective expiry times.

Here are the expiry times for the tokens:
  1. access_token: 1 hour
  2. refresh_token: 30 days

Access token

The access token is a JSON Web Token (JWT) that can be decoded to obtain a JSON object containing valuable information about the user and the authentication process. To decode your token, please, visit JWT.IO.
  1. {
  2. "nbf": 1680885008,
  3. "exp": 1680888608,
  4. "iss": "https://identity.approvalmax.com",
  5. "client_id": "8A59498C02D54104B7295D1CA08EA586",
  6. "sub": "92581804-f202-4a87-90b1-a4c9677b9146",
  7. "auth_time": 1680869179,
  8. "idp": "AMRemote",
  9. "https://www.approvalmax.com/connection": "e018ad8d-7875-4f55-a17e-db5dec8dce25",
  10. "jti": "DD4A003D5F1B93E10B17E5D9EFCD9F3B",
  11. "sid": "A1C021867AA6360DC73B7A39878C444D",
  12. "iat": 1680880234,
  13. "scope": [
  14. "https://www.approvalmax.com/scopes/public_api",
  15. "openid",
  16. "offline_access"
  17. ],
  18. "amr": [
  19. "external"
  20. ]
  21. }

    • Related Articles

    • How to call the API

      Please refer to the Swagger page or the list of available endpoints to find endpoints and their data models. To successfully make API calls, include the following headers in your requests to authenticate and communicate with the API correctly: ...
    • How to grant access to an Organisation via the ApprovalMax Public API

      This is how you grant access to an Organisation via the ApprovalMax API: 1. Initiate a user authorisation: generate an URL with the necessary parameters to direct the Account Owner / Account Manager / Organisation Administrator to the ApprovalMax ...
    • How to exchange an authorisation code for an access token

      Once you have obtained the authorisation code from the user, you can proceed to exchange it for an access token. When making this exchange, it is recommended to request the "offline_access" scope, which allows you to receive a refresh token in ...
    • A list of endpoints available in the Public API

      For making calls against the API, please refer to the endpoints below, or to the swagger : Endpoints Description GET /ping This endpoint is used for checking the overall availability and responsiveness of the ApprovalMax Public API. When a GET ...
    • Public API Guide

      Our Public API Guide is available on our website, please follow this link to find it: ApprovalMax – Public API Guide