Receiving tokens

Receiving tokens

When you send the POST request to the token endpoint, the endpoint validates the request parameters to ensure the authenticity and validity of the code. It checks factors such as the expiration of the code and whether it matches the client ID.
If the validation process is successful, the token endpoint generates and returns the tokens in the response. The response may include the following parameters:

  • access_token: represents the access token that you can use to authenticate API calls on behalf of the user. Include this token in the authorisation header of subsequent API requests.

  • expires_in: indicates the duration of the access token's validity, set to 3600 seconds (1 hour). After this time, the access token will expire, and you will need to refresh it using the refresh token if available.

  • token_type: specifies the type of token being returned, which is usually set as "Bearer". This indicates that the token follows the OAuth 2.0 Bearer Token specification.

  • refresh_token: if you have requested the "offline_access" scope during the authorisation process, the response may include a refresh token. This token can be used to refresh the access token once it has expired, ensuring continuity in API access without requiring repeated user authorisation.


    1. "access_token":"eyJhbGciOiJQUzI1NiIsImtpZCI6ImJiYTUzOWViOTVkNDQzNWE5NTUwNmI4NTdlYWNmZjhlIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2ODIzNDQwMTMsImV4cCI6MTY4MjM0NzYxMywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eWRldjA0LmFwcHJvdmFsbWF4LmNvbSIsImNsaWVudF9pZCI6IjMzOENENUUwQUJBNzQ0REI5MTE4MzhGOUY5QjA5Q0ZEIiwic3ViIjoiOTI1ODE4MDQtZjIwMi00YTg3LTkwYjEtYTRjOTY3N2I5MTQ2IiwiYXV0aF90aW1lIjoxNjgyMzMyODcyLCJpZHAiOiJBTVJlbW90ZSIsImh0dHBzOi8vd3d3LmFwcHJvdmFsbWF4LmNvbS9jb25uZWN0aW9uIjoiNGEyNTQxMDQtYjU4ZC00ZjJhLTgwNWEtNTk5ZWE4MTg0NmI5IiwianRpIjoiQjJBNEU2QjRDMkQyODk2Qjc2NUY1QTM2RUY5NzYyMzQiLCJzaWQiOiIwRTA1OTExNTUzQTBCNUEyQTYwNUFEQjBBMDlFOUYyRCIsImlhdCI6MTY4MjM0MzcxOCwic2NvcGUiOlsiaHR0cHM6Ly93d3cuYXBwcm92YWxtYXguY29tL3Njb3Blcy9wdWJsaWNfYXBpIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbImV4dGVybmFsIl19.zkoFJyfbCsVEj6HKumrVoRCkhCQ6bZCi08EwpKtpaDCg_4KX7KJZnEgc7guSdmw4pLjiD2n_z7OcI6-EvHxX5hsum0pvmcUGEJMI1nHGT8XFggeAgptQaGr2wfF7NXc6ozT pY5YEBSMhwvTGmIDr_PGcdpc7Yp7ITtkJVEAUtUMlHgkRdVlhVV4K1_lK8DSD1E3pT-_jjdkG99BGMGFMFOj7we3Ry-iacg3cZqgpzyY0aY7eLIIlPhNSOLVkVDN7kFSd1ILPY0IA-B5c2GvSYoSYQy1 AjI0ePaylxpjALjZOiF7M-hL1rCuY-UloNuFstr3AkRsyNZQOpKOVYMoA8w",
    2. "expires_in":3600,
    3. "token_type":"Bearer",
    4. "refresh_token":"C2495E877E3074027C0D232761D01B084FB264B3211588FA8932C8C01129B639",
    5. "scope":"https://www.approvalmax.com/scopes/public_api offline_access"}

Token expiry

When you receive a token, it is essential to be aware of its expiry time. Tokens have a limited validity period after which they will no longer be valid for authentication. It is crucial to keep track of these expiry times to avoid any disruptions in API access. Both the access tokens and refresh tokens can be exchanged for new tokens before their respective expiry times.

Here are the expiry times for the tokens:
  1. access_token: 1 hour
  2. refresh_token: 30 days

Access token

The access token is a JSON Web Token (JWT) that can be decoded to obtain a JSON object containing valuable information about the user and the authentication process. To decode your token, please, visit JWT.IO.
  1. {
  2. "nbf": 1680885008,
  3. "exp": 1680888608,
  4. "iss": "https://identity.approvalmax.com",
  5. "client_id": "8A59498C02D54104B7295D1CA08EA586",
  6. "sub": "92581804-f202-4a87-90b1-a4c9677b9146",
  7. "auth_time": 1680869179,
  8. "idp": "AMRemote",
  9. "https://www.approvalmax.com/connection": "e018ad8d-7875-4f55-a17e-db5dec8dce25",
  10. "jti": "DD4A003D5F1B93E10B17E5D9EFCD9F3B",
  11. "sid": "A1C021867AA6360DC73B7A39878C444D",
  12. "iat": 1680880234,
  13. "scope": [
  14. "https://www.approvalmax.com/scopes/public_api",
  15. "openid",
  16. "offline_access"
  17. ],
  18. "amr": [
  19. "external"
  20. ]
  21. }

    • Related Articles

    • How to grant access to an Organisation in the ApprovalMax Public API

      The process of granting access to an Organisation consists of the following steps: 1. Initiate user authorisation: generate an URL with the necessary parameters. This URL will direct account owners/ account managers to the ApprovalMax Public API ...

    • How to call the API?

      Please refer to the Swagger page or the list of available endpoints to find endpoints and their data models. To successfully make API calls, ensure that you include the following headers in your requests: Authorisation header: this is crucial for ...

    • How to exchange an authorisation code for an access token

      Once you have obtained the authorisation code from the user, you can proceed to exchange it for an access token. When making this exchange, it is recommended to request the "offline_access" scope, which allows you to receive a refresh token in ...

    • The list of endpoints available in Public API

      To make calls against the APIs, please refer to the endpoints below or to the swagger: Endpoints Description GET /ping In the ApprovalMax Public API, the GET /ping endpoint is a simple endpoint used for checks the overall availability and ...

    • Prerequisites for using the Public API

      Before proceeding with the authorisation process for the ApprovalMax Public API feature, there are certain prerequisites that need to be met. These include: 1. Granting access to the Developer Portal: in order to access the Developer Portal and ...