Tokens
OAuth API

POST
https://api.mollie.nl/oauth2/tokens
Authentication: OAuth client credentials

Exchange the auth code received at the Authorize endpoint for an actual access token, with which you can communicate with the Mollie API.

Parameters

grant_type
string

If you wish to exchange your auth code for an access token, use grant type authorization_code. If you wish to renew your access token with your refresh token, use grant type refresh_token.

Possible values: authorization_code refresh_token

code
string

Optional – The auth code you've received when creating the authorization. Only use this field when using grant type authorization_code.

refresh_token
string

Optional – The refresh token you've received when creating the authorization. Only use this field when using grant type refresh_token.

redirect_uri
string

The URL the merchant is sent back to once the request has been authorized. It must match the URL you set when registering your app.

Includes

Some endpoints allow you to indicate if you want more information to be included in the API response via the include querystring parameter.

  • No includes supported for this endpoint.

Response

200
application/json; charset=utf-8
access_token
string

The access token, with which you will be able to access the Mollie API on the merchant's behalf.

refresh_token
string

The refresh token, with which you will be able to retrieve new access tokens on this endpoint. Please note that the refresh token does not expire.

expires_in
integer

The number of seconds left before the access token expires. Be sure to renew your access token before this reaches zero.

token_type
string

As per OAuth standards, the provided access token can only be used with bearer authentication.

Possible values: bearer

scope
string

A space separated list of permissions. Please refer to OAuth: Permissions for the full permission list.

Example

The following example illustrates how an auth code can be exchanged for a set of access and refresh tokens.

Request code

// Using Mollie's provider for the League's OAuth 2 client: https://github.com/mollie/oauth2-mollie-php
$provider = new \Mollie\OAuth2\Client\Provider\Mollie([
    "clientId"                => $client_id,
    "clientSecret"            => $client_secret,
    "redirectUri"             => $redirect_url
]);

try
{
    $response = $provider->getAccessToken("authorization_code", [
        // Use the authorization code received from the Authorize endpoint.
        "code" => "abc123",
    ]);

    $access_token  = $response->getToken();
    $refresh_token = $response->getRefreshToken();
    $expires       = $response->getExpires();

    echo "Access token: " . htmlspecialchars($access_token) . "<br />";
    echo "Refresh token: " . htmlspecialchars($refresh_token) . "<br />";
    echo "Access token expires on " . date('r', $expires) . ".";

    $resource_owner = $provider->getResourceOwner($access_token);

    print_r($resource_owner->toArray());
}
catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e)
{
    echo "Failed to retrieve access token or identity: ";
    echo htmlspecialchars($e->getMessage());
}

Response

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "access_token": "access_46EUJ6x8jFJZZeAvhNH4JVey6qVpqR",
    "refresh_token": "refresh_FS4xc3Mgci2xQ5s5DzaLXh3HhaTZOP",
    "expires_in": 3600,
    "token_type": "bearer",
    "scope": "payments.read organizations.read"
}

Now that we have a refresh token, we should renew the access token before its expiry date as follows:

Request code

try
{
    $response = $provider->getAccessToken("refresh_token", [
        // Use the refresh token received when creating the first access token.
        // The refresh token will not be renewed, the existing one will be returned.
        "refresh_token" => $refresh_token,
    ]);

    $access_token  = $response->getToken();
    $refresh_token = $response->getRefreshToken();
    $expires       = $response->getExpires();

    echo "New access token: " . htmlspecialchars($access_token) . "<br />";
    echo "(Existing) refresh token: " . htmlspecialchars($refresh_token) . "<br />";
    echo "New access token expires on " . date('r', $expires) . ".";

    $resource_owner = $provider->getResourceOwner($access_token);

    print_r($resource_owner->toArray());
}
catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e)
{
    echo "Failed to refresh access token: " . htmlspecialchars($e->getMessage());
}

Response

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "access_token": "access_TRbHbeB3my8XywBAdT6HRkGAJMuh4",
    "refresh_token": "refresh_FS4xc3Mgci2xQ5s5DzaLXh3HhaTZOP",
    "expires_in": 3600,
    "token_type": "bearer",
    "scope": "payments.read organizations.read"
}