Stitch SSO
4.3. Client Tokens
What are client tokens?
Most of the functionality of the Stitch API is protected by what is known as user tokens. User tokens represent a client's authorization to access certain features of the user's bank account.
In contrast, a client token is issued to a client by the API and represents the time limited ability to access certain features of the client's profile on the API.
A client token is issued when the client sends a client assertion to the token endpoint.
Client Scopes
Scopes can be thought of as permissions to access certain features of the API.
If you attempt to make a request that needs extra scopes, the API response will return an error that lists the extra scopes required. The API documentation embedded in the IDE also includes the required scopes for different fields and mutations.
Client tokens have a different set of scopes than user tokens. The following scopes are currently available:
| Client Scopes | |
|---|---|
| Scope | Description |
client_paymentrequest | The scope is required to create, view and manage payment requests. |
client_bankaccountverification | The scope is required to submit bank account verification requests. |
client_imageupload | This scope allows you to use the clientImageUpload endpoint | .
client_businesslookup | This scope allows you to lookup a business by name, registration number, or director identity / passport numbers. | .
client_paymentauthorizationrequest | This scope allows you to URLs to link user's accounts for user-not-present payments. | .
client_refund | Allows you issue refunds for a payment made with Stitch. | .
client_disbursement | This scope allows you to issue a disbursement: an instruction to Stitch to pay money out to a destination account. | .
In the next sections, we'll go through the steps needed to retrieve a client token with the client_paymentrequest scope.
Client Tokens
To proceed, you'll need a Client Id and Certificate. You can generate your own client credentials here to access a simulated payment environment.
You'll also have needed to have generated a private_key_jwt from the certificate
by following the steps in the client assertion guide.
Stitch uses the OAuth 2.0 Client Credentials Flow for client tokens. This flow entails making a POST request to the https://secure.stitch.money/connect/token endpoint with the following body parameters. The parameters are form encoded per OAuth 2.0 standards.
| Token Request Body Parameters | |
|---|---|
| Parameter | Description |
client_id | This is the unique ID of the client you generated |
scope | A space separated list of requested scopes. |
grant_type | Should be the value client_credentials for this flow |
audience | Should always be the value https://secure.stitch.money/connect/token |
client_assertion_type | Should always have the value urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
client_assertion | The value of the generated private_key_jwt |
Retrieving the Token Using cURL
This example bash script uses cURL to retrieve the client access and refresh token.
You'll need to replace the clientId, clientAssertion, and scopes with the appropriate values. This request if correctly formed, will return a JSON payload with the token.
1clientId='<your clientId>'2scopes='client_paymentrequest'3clientAssertion='<your client assertion>'45curl --location --request POST 'https://secure.stitch.money/connect/token' \6--header 'Content-Type: application/x-www-form-urlencoded' \7--data-urlencode 'grant_type=client_credentials' \8--data-urlencode "client_id=$clientId" \9--data-urlencode 'audience=https://secure.stitch.money/connect/token' \10--data-urlencode "scope=$scopes" \11--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \12--data-urlencode "client_assertion=$clientAssertion"
Retrieving the Token Using JavaScript and the Fetch API
1async function retrieveTokenUsingClientAssertion(clientId, clientAssertion, scopes) {2 const body = {3 grant_type: 'client_credentials',4 client_id: clientId,5 scope: scopes.join(' '),6 audience: 'https://secure.stitch.money/connect/token',7 client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',8 client_assertion: clientAssertion9 };1011 const bodyString = Object.entries(body).map(([k, v]) => `${k}=${encodeURIComponent(v)}`).join('&');1213 const response = await fetch('https://secure.stitch.money/connect/token', {14 method: 'post',15 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },16 body: bodyString,17 });1819 const responseBody = await response.json();20 console.log('Tokens: ', responseBody);21 return responseBody;22}
Retrieving the Token Using Postman
Download the following Postman collection, and import it into Postman:
StitchSSO_ClientCredentials.postman_collection.json
The first request in the collection is "Retrieve Client Token". Replace the entries in the Body tab with the appropriate values, and click send. The request if correctly formed will return a JSON payload with the token.
Response Body
A typical response body returned from the token endpoint will look like the following:
1{2 "access_token": "udfc_WxDqxwfs5IKNHYohqGDZ9vwmyENvQYN7_cjW6M",3 "expires_in": 3600,4 "token_type": "Bearer",5 "scope": "client_paymentrequest"6}
| Token Response Body Parameters | |
|---|---|
| Parameter | Description |
access_token | The token needed to query the Stitch API |
expires_in | The number of seconds until the token expires |
scope | The scopes that were granted by the user |
We recommend that tokens are cached and only refreshed once expired as token generation is a cryptographically intensive process and so can slow down queries if retrieved on every request.
Making API requests with a client access token
Great! You now have a client access token, try it out by initiating a Payment Request or doing a Bank Account Verification.