Stitch SSO

4.8. Using a Client Secret

This document explains how to make use of a client secret. A client secret can be used to obtain access tokens which are required when calling the Stitch API.

The exact use case of this client secret is through a method known as a client_secret_post, as described in Section 9 of OpenID Connect Core 1.0.

To complete this guide, please ensure that you have received a client_id, and a client_secret. You can generate your own client credentials here If you currently have a certificate and need help switching to secret-based authentication, please reach out to a Stitch engineer via the support channels on Slack or our Support Form.

Note

Your secret has a 2 year expiry period. Please contact Stitch before the expiry date to request a new secret

Obtaining a client token

This example uses cURL to retrieve the client access token.

You'll need to replace the CLIENT_ID, CLIENT_SECRET, and the scope with your appropriate values. If correctly formed, this request will return a JSON payload with the token.

1curl --location --request POST 'https://secure.stitch.money/connect/token' \
2--header 'Content-Type: application/x-www-form-urlencoded' \
3--data-urlencode 'grant_type=client_credentials' \
4--data-urlencode "client_id=*CLIENT_ID*" \
5--data-urlencode "scope=client_paymentrequest" \
6--data-urlencode "client_secret=*CLIENT_SECRET*"

Obtaining a user token

This example uses cURL to retrieve the user access and refresh token.

You'll need to replace the CLIENT_ID, REDIRECT_URI, AUTH_CODE, CODE_VERIFIER and CLIENT_SECRET with the appropriate values. If correctly formed, this request will return a JSON payload with the tokens.

1curl --request POST \
2 --url https://secure.stitch.money/connect/token \
3 --header 'Content-Type: application/x-www-form-urlencoded' \
4 --data-urlencode 'client_id=*CLIENT_TOKEN*' \
5 --data-urlencode 'redirect_uri=*REDIRECT_URI*' \
6 --data-urlencode grant_type=authorization_code \
7 --data-urlencode 'code=*AUTH_CODE*' \
8 --data-urlencode 'code_verifier=*CODE_VERIFIER*' \
9 --data-urlencode 'client_secret=*CLIENT_SECRET*'