Stitch SSO

4.3. Client Tokens

What are client tokens?

Most of the functionality of the Stitch API is protected by what is known as user tokens. User tokens represent a client's authorization to access certain features of the user's bank account.

In contrast, a client token is issued to a client by the API and represents the time limited ability to access certain features of the client's profile on the API.

A client token is issued when the client sends a client assertion to the token endpoint.

Client Scopes

Scopes can be thought of as permissions to access certain features of the API.

If you attempt to make a request that needs extra scopes, the API response will return an error that lists the extra scopes required. The API documentation embedded in the IDE also includes the required scopes for different fields and mutations.

Client tokens have a different set of scopes than user tokens. The following scopes are currently available:

Client Scopes
client_paymentrequestThe scope is required to create, view and manage payment requests.
client_bankaccountverificationThe scope is required to submit bank account verification requests.
client_imageuploadThis scope allows you to use the clientImageUpload endpoint
client_businesslookupThis scope allows you to lookup a business by name, registration number, or director identity / passport numbers.
client_paymentauthorizationrequestThis scope allows you to URLs to link user's accounts for user-not-present payments.
client_refundAllows you issue refunds for a payment made with Stitch.
client_disbursementThis scope allows you to issue a disbursement: an instruction to Stitch to pay money out to a destination account.

In the next sections, we'll go through the steps needed to retrieve a client token with the client_paymentrequest scope.

Client Tokens

To proceed, you'll need a Client Id and Certificate. You can generate your own client credentials here to access a simulated payment environment.

You'll also have needed to have generated a private_key_jwt from the certificate by following the steps in the client assertion guide.

Stitch uses the OAuth 2.0 Client Credentials Flow for client tokens. This flow entails making a POST request to the endpoint with the following body parameters. The parameters are form encoded per OAuth 2.0 standards.

Token Request Body Parameters
client_idThis is the unique ID of the client you generated

A space separated list of requested scopes.

grant_typeShould be the value client_credentials for this flow
audienceShould always be the value
client_assertion_typeShould always have the value urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertionThe value of the generated private_key_jwt

Retrieving the Token Using cURL

This example bash script uses cURL to retrieve the client access and refresh token.

You'll need to replace the clientId, clientAssertion, and scopes with the appropriate values. This request if correctly formed, will return a JSON payload with the token.

1clientId='<your clientId>'
3clientAssertion='<your client assertion>'
5curl --location --request POST '' \
6--header 'Content-Type: application/x-www-form-urlencoded' \
7--data-urlencode 'grant_type=client_credentials' \
8--data-urlencode "client_id=$clientId" \
9--data-urlencode 'audience=' \
10--data-urlencode "scope=$scopes" \
11--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
12--data-urlencode "client_assertion=$clientAssertion"

Retrieving the Token Using JavaScript and the Fetch API

1async function retrieveTokenUsingClientAssertion(clientId, clientAssertion, scopes) {
2 const body = {
3 grant_type: 'client_credentials',
4 client_id: clientId,
5 scope: scopes.join(' '),
6 audience: '',
7 client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
8 client_assertion: clientAssertion
9 };
11 const bodyString = Object.entries(body).map(([k, v]) => `${k}=${encodeURIComponent(v)}`).join('&');
13 const response = await fetch('', {
14 method: 'post',
15 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
16 body: bodyString,
17 });
19 const responseBody = await response.json();
20 console.log('Tokens: ', responseBody);
21 return responseBody;

Retrieving the Token Using Postman

Download the following Postman collection, and import it into Postman:


The first request in the collection is "Retrieve Client Token". Replace the entries in the Body tab with the appropriate values, and click send. The request if correctly formed will return a JSON payload with the token.

Response Body

A typical response body returned from the token endpoint will look like the following:

2 "access_token": "udfc_WxDqxwfs5IKNHYohqGDZ9vwmyENvQYN7_cjW6M",
3 "expires_in": 3600,
4 "token_type": "Bearer",
5 "scope": "client_paymentrequest"
Token Response Body Parameters
access_tokenThe token needed to query the Stitch API
expires_inThe number of seconds until the token expires
scopeThe scopes that were granted by the user

We recommend that tokens are cached and only refreshed once expired as token generation is a cryptographically intensive process and so can slow down queries if retrieved on every request.

Making API requests with a client access token

Great! You now have a client access token, try it out by initiating a Payment Request or doing a Bank Account Verification.