Guides • Build Banking Apps
4. Get the access token
doc

4. Get the access token

In order to send requests to the API, you must first get your access token.

Request

You must provide the headers and parameters listed below.

Certificates

You must use a transport certificate and its private key in order to request an access token.

  • For Sandbox testing, you can use the transport.pem certificate file which you obtained in Convert certificates, together with the private key generated in step Generate a CSR.

  • For Production, you must use a valid OBIE or eIDAS transport certificate from a regulated Certificate Authority (CA), and its corresponding private key.

note

Revolut Open Banking API servers use certificates issued by Open Banking Limited.

You can find the root and issuing certificates here if you need to add them to your truststore.

Headers

  • Content-Type: application/x-www-form-urlencoded

Parameters

  • grant_type: Must be set to client_credentials to get the access token.
  • scope: Must be set to accounts.

Example

caution

If you get certificate errors when using curl with Sandbox, it usually means your system doesn’t trust our certificate issuer. The recommended approach is to add the certificate to your trusted store.

As a quick workaround, you can use the -k (or --insecure) option to skip certificate checks. Be aware this disables all SSL verification, which can hide issues like expired or mismatched certificates and leaves you vulnerable to man-in-the-middle attacks. For these reasons, avoid using -k in production or as a permanent solution.

curl --cert transport.pem --key private.key \
--location -X POST 'https://oba-auth.revolut.com/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials' \
-d 'scope=accounts' \
-d 'client_id=<your client_id>'

Response

The response contains the following JSON object:

{
    "access_token":"<access token>",
    "token_type":"Bearer",
    "expires_in":2399
}

What's next

Use this access token as the authentication bearer for all subsequent requests to the API, as described in the Tutorials section. Once your token expires, repeat the steps above to create a new token.

Previous3. Set up production environment
NextRegister your application using DCR
Was this page helpful?