Retrieving the Access Token

Getting the code

If the user has accepted the link, we will redirect the flow to your redirect_uri URI with two query string parameters:

• code: You will need the code to make an API call to retrieve the access token.

• state(optional): The state params that you passed in the previous redirect (if any).

Note: if the user has denied the request, we will redirect to your redirect_uri URI with the error access_denied. The code has a short expiration time (~ 1minute).

Getting the access token

Now that you have a valid code, you can make a request to POST https://api.matrica.io/oauth2/tokenwith these params:

• grant_type : Must be set to authorization_code

• code : The code that you received.

• redirect_uri : The callback redirect URI originally requested.

• client_id : Your application ID.

• client_secret (optional): Only if your application is set to "Private".

• code_verifier : PKCE code verifier.

If everything matches up, the API call will respond with this JSON object:

{
    "access_token": "qwertyuio123456",
    "token_type": "Bearer",
    "refresh_token": "qwertyuiopasdfghjk",
    "expires_in": 3600,
    "scope": "profile"
}            

You can use the access_token to make calls to the OAuth 2.0 APIs (see here) and get the information you have access to (depending on the scopes).

Refresh token

Store the refresh_token safely and use it to get a new access_token once it has expired by calling POST https://api.matrica.io/oauth2/token with these params:

• refresh_token : The refresh token.

• grant_type : Must be set to refresh_token.

• client_id : Your application ID.

• client_secret (optional): Only if your application is "Private".