Skip to main content

Client Secrets

A client secret can be used to obtain access tokens, which are required when calling the Stitch API.

The client secret will be used through a method known as a client_secret_post, as described in Section 9 of OpenID Connect Core 1.0.

To follow the steps in this section, please ensure that you have received a client_id, and a client_secret.

If you currently have a certificate and need help switching to secret-based authentication, please reach out to a Stitch engineer via our Support Form.

Expiry Period

Your secret has a 2-year expiry period. Please contact Stitch before the expiry date to request a new secret

Obtaining a Client Token

This example uses cURL to retrieve the client access token.

You'll need to replace the CLIENT_ID, CLIENT_SECRET, and the scope with your appropriate values. If correctly formed, this request will return a JSON payload with the token.

curl --location --request POST 'https://secure.stitch.money/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=*CLIENT_ID*' \
--data-urlencode 'scope=client_paymentrequest' \
--data-urlencode 'client_secret=*CLIENT_SECRET*'

Obtaining a User Token

This example uses cURL to retrieve the user access and refresh token.

You'll need to replace the CLIENT_ID, REDIRECT_URI, AUTH_CODE, CODE_VERIFIER and CLIENT_SECRET with the appropriate values. If correctly formed, this request will return a JSON payload with the tokens.

curl --location --request POST 'https://secure.stitch.money/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=*CLIENT_ID*' \
--data-urlencode 'redirect_uri=*REDIRECT_URI*' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=*AUTH_CODE*' \
--data-urlencode 'code_verifier=*CODE_VERIFIER*' \
--data-urlencode 'client_secret=*CLIENT_SECRET*'