Skip to main content

Client AuthenticationDeprecated

caution

This section includes information around Stitch products and features that are now deprecated. Deprecated aspects of Stitch's plaform are no longer being supported or improved upon.

If you are currently using a deprecated Stitch product, please consider upgrading to one of our newer and equivalent offerings.

To initiate the process of creating a payment authorization request, a client token having the scope client_paymentauthorizationrequest is required. This scope allows you to create URLs to link a user's bank account for user-not-present payments.

Retrieving a Client Token

Stitch uses the OAuth 2.0 Client Credentials Flow for client tokens. This flow entails making a POST request to the endpoint https://secure.stitch.money/connect/token. The table below lists the required body parameters.

Note that all the parameters are required and should be form encoded per OAuth 2.0 standards.

Request ParameterDescription
client_idThis is the unique ID of the client you generated
scopeA non-empty, space separated list of requested scopes
grant_typeShould be the value client_credentials for this flow
audienceShould always be the value https://secure.stitch.money/connect/token
client_secretThe value of your client_secret

Retrieving the Token Using Postman

To quickly test this out easily on Postman, import the collection available here into your Postman client.

The request we're using in the collection is Retrieve Client Token. Replace the entries for client_id and client_secret in the collection's Body tab with appropriate values matching your client details, and click send. If constructed correctly, the request will return a JSON payload with the token.

Retrieving the Token Using JavaScript and the Fetch API

The example Javascript function below uses fetch to retrieve the client access token. You'll need to pass in appropriate values for clientId, clientSecret, and scopes to the function retrieveTokenUsingClientSecret

async function retrieveTokenUsingClientSecret(clientId, clientSecret, scopes) {
const body = {
grant_type: "client_credentials",
client_id: clientId,
scope: scopes.join(" "),
audience: "https://secure.stitch.money/connect/token",
client_secret: clientSecret,
};

const bodyString = Object.entries(body)
.map(([k, v]) => `${k}=${encodeURIComponent(v)}`)
.join("&");

const response = await fetch("https://secure.stitch.money/connect/token", {
method: "post",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: bodyString,
});

const responseBody = await response.json();
console.log("Tokens: ", responseBody);
return responseBody;
}

Response Body

A typical response body returned from the token endpoint will look like the following sample response:

{
"access_token": "udfc_WxDqxwfs5IKNHYohqGDZ9vwmyENvQYN7_cjW6M",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "client_paymentauthorizationrequest"
}
Response ParameterDescription
access_tokenThe token needed to query the Stitch API
expires_inThe number of seconds until the token expires
scopeThe scopes that were granted by the user

We recommend that the access token is cached and only refreshed once expired as token generation is a cryptographically intensive process and so can slow down queries if retrieved on every request. More information about client token lifetimes can be found here.

Making API Requests with a Client Access Token

Now that you have a client access token, try it out by initiating a Payment Request.