Retrieve your Oauth 2 access token !


Step-by-step process 

1- Send a request directly to the IT infrastructure of the bank account holder.

For live access, the entry point to recover the access token depends on banking institution with the following format "https://www.<bkcode>".

In order to be able to query the right backend, it is therefore necessary that you request the PSU to select its banking institution thru your interfaces.

The list of our banking institutions and the possible values ​​of <bkcode> are specified in the "Limits" use case, see examples below :

Bank code <bkcode>

Bank name

Bank short name


B.P Grand Ouest



CE Ile de France 


For instance the URI will be :

Nb: the PSU may have several accounts in different banks of Groupe BPCE. You will need a different access token to access each of these account holder banks.


The detailed parameters are:

POST /psd2/oauth/token?client_id={clientId}&scope={scope}[&grant-type=client_credentials

Name   Data Type and constrains
grant_type [1..1] Requested autorisation type

String [34] => must be valued with "client_credentials"

client_id [1..1] TPP identification

String [34] => must be equal or linked to the OrganizationIdentifier part of the Distinguished Name" of the eIDAS certificate, according to ETSI specification 

=> your agreement number as defined by your national competent authority. (PSDXX-YYYY-ZZZZZ)

scope [0..1]

Spécifies the generic accreditations that both the PSU and the TPP agreed on : PISP

Chaîne [140] => Space delimited roles lists.

Default value is "pisp"

2- The bank account holder (ASPSP) performs checks upon your TPP profile (the certificate validity, your registered role, the non-revocation of your profile, etc…)


3- Once these checks are OK, the bank returns an HTTP 200 (OK) response containing the following data:

Name   Data Type and constrains
access_token [1..1] Access token provided by the ASPSP to the TPP

String [140] => ex : ""nACXdBobTpdwRRaYy2H3w7pP5Xe61e1R9rwxMuhk7G0fULg8x6kJHz"

token_type [1..1] Type of the provided token ("Bearer" or "MAC"

String[10] => must be valued with "Bearer"

expires_in [0..1]

Token lifetime, in seconds. The token can be used several times as far as it is not expired

Numeric => ex : "3600"
scope [1..1] Spécifies the generic accreditations that both the PSU and the TPP agreed on : PISP

Chaîne [140] => Default value is "pisp"


The access token must be used in every request in the authorization header with “Bearer” as a prefix.

If the token is expired, the request will be rejected with an HTTP403 error code indicating “Invalid token”. Such request might be sent again each time a new access token has been granted.