Client Secrets
A client secret can be used to obtain access tokens, which are required when calling the Stitch API.
The client secret will be used through a method known as a client_secret_post, as described in Section 9 of OpenID Connect Core 1.0.
To follow the steps in this section, please ensure that you have received a client_id, and a client_secret.
If you currently have a certificate and need help switching to secret-based authentication, please reach out to a Stitch engineer via our Support Form.
Your secret has a 2-year expiry period. Please contact Stitch before the expiry date to request a new secret
Obtaining a Client Token
This example uses cURL to retrieve the client access token.
You'll need to replace the CLIENT_ID, CLIENT_SECRET, and the scope with your appropriate values. If correctly formed,
this request will return a JSON payload with the token.
curl --location --request POST 'https://secure.stitch.money/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=*CLIENT_ID*' \
--data-urlencode 'scope=client_paymentrequest' \
--data-urlencode 'client_secret=*CLIENT_SECRET*'
Obtaining a User Token
This example uses cURL to retrieve the user access and refresh token.
You'll need to replace the CLIENT_ID, REDIRECT_URI, AUTH_CODE, CODE_VERIFIER and CLIENT_SECRET with the
appropriate values. If correctly formed, this request will return a JSON payload with the tokens.
curl --location --request POST 'https://secure.stitch.money/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=*CLIENT_ID*' \
--data-urlencode 'redirect_uri=*REDIRECT_URI*' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=*AUTH_CODE*' \
--data-urlencode 'code_verifier=*CODE_VERIFIER*' \
--data-urlencode 'client_secret=*CLIENT_SECRET*'