Authorize
OAuth API

GET
https://www.mollie.com/oauth2/authorize
Authentication: none

The Authorize endpoint is the endpoint on Mollie web site where the merchant logs in, and grants authorization to your client application. E.g. when the merchant clicks on the Connect with Mollie button, you should redirect the merchant to the Authorize endpoint.

You should construct the Authorize URL from the endpoint and the parameters below. Then, you should redirect the resource owner to the Authorize endpoint.

The resource owner can then grant the authorization to your client application for the scopes you have requested.

Mollie will then redirect the resource owner to the redirect_uri you have specified. The redirect_uri will be appended with a code parameter, which will contain the auth token. You should then exchange the auth token for an acccess token using the Tokens API.

Parameters

client_id
string

The client ID you receive when registering your app.

redirect_uri
string

Optional – The URL the merchant is sent back to once the request has been authorized. If given, it must match the URL you set when registering your app.

state
string

A random string generated by your app to prevent CSRF attacks.

scope
string

A space separated list of permissions your app requires. Refer to OAuth: Permissions for more information about the available scopes.

response_type
string

Mollie currently only replies with code responses.

Possible values: code

approval_prompt
string

This parameter can be set to force, to force showing the consent screen to the merchant, even when it is not necessary.

Possible values: auto force

Includes

Some endpoints allow you to indicate if you want more information to be included in the API response via the include querystring parameter.

  • No includes supported for this endpoint.

Response

301
Redirect
code
string

The auth code, with which you can request an access token.

state
string

The random string you've sent with your request to prevent CSRF attacks. Please always check if this matches the expected value.

error
string

Optional – If the request is cancelled by the merchant, or fails for any other reason, the merchant will be redirected back with an error field. The field will contain a code indicating the type of error.

error_description
string

Optional – If the error field is present, this field will be present as well with an explanation of the error code.

Example

In the example below, an authorization is requested. The merchant approves our request and is thus redirected back to our example redirect URL, along with an auth code and state.

Request code

// Using Mollie's provider for the League's OAuth 2 client: https://github.com/mollie/oauth2-mollie-php
$provider = new \Mollie\OAuth2\Client\Provider\Mollie([
    "clientId"                => $client_id,
    "clientSecret"            => $client_secret,
    "redirectUri"             => $redirect_url
]);

$authorize_url = $provider->getAuthorizationUrl([
    "scope" => "payments.read refunds.write",
]);

// Store the state in session, so we can check it later.
$_SESSION["oauth2state"] = $provider->getState();

// Send the customer off to Mollie's consent screen.
header("Location: " . $authorize_url);

Response

HTTP/1.1 301 Redirect
Location: https://example.com/redirect?code=auth_MsCe791aoQmtvIa7&state=xEoI7yDG01DL4iWSsrtNM