# MD for: https://www.mercadopago.com.pe/developers/en/docs/checkout-bricks/additional-content/security/oauth/creation.md \# Get Access Token Learn how to use the flows, also known as \_grant types\_, to obtain an Access Token and access the data exposed by an API. The existence of these flows arise to respond to all business scenarios that can appear in the consumption of APIs based on the type of consuming application, its degree of trust, and how the user interacts in the process. The access flows available for generating the Access Token are: - \[Authorization code\](https://www.mercadopago.com.pe/developers/en/docs/security/oauth/creation#bookmark\_authorization\_code): when credentials are to be used to access a resource on behalf of others. - \[Client credentials\](https://www.mercadopago.com.pe/developers/en/docs/security/oauth/creation#bookmark\_client\_credentials): when credentials are to be used to access a resource on one's own behalf. > WARNING > > Important > > If an Access Token generated from the \*\*Authorization code\*\* flow is invalid or expired, you can use the \*\*Refresh Token\*\* flow to exchange a temporary grant of type \`refresh\_token\` for an Access Token. This means that the Access Token can be refreshed without the need for user interaction again after the authorization has been granted. For more information, visit \[Renew Access Token\](https://www.mercadopago.com.pe/developers/en/guides/additional-content/security/oauth/renewal). ## Authorization code The flow is characterized by the intervention of the seller to explicitly authorize the application's access to their data and by the use of a code granted by the authentication server so that the application can obtain an Access Token and an associated refresh token. Because it is a redirect-based flow, you must allow interaction with the seller's browser and receive the request through the authorization server redirect. In this flow, the application requests the seller's express consent to access the data by opening a web page in which the requested areas to be accessed are made explicit. > WARNING > > Important > > Remember that you will use sensitive information from your sellers. Make sure you store it safely. Do not use it in the authentication URL and manage the entire process only from your server. Once access is allowed, the server generates an access code that reaches the application through a redirect. In this step, the application requests access to the authentication server by sending the obtained code and application data. Once this is done, the server grants the Access Token and the refresh token to the application. See below how to \*\*configure the PKCE protocol\*\* (a non-mandatory security protocol that provides an extra layer of protection, so it is recommended) and then \*\*generate the Access Token\*\*. ### Configure PKCE The \*\*PKCE\*\* (Proof Key for Code Exchange) is a security protocol used with OAuth to protect against malicious code attacks during the exchange of authorization codes for an Access Token. It adds an extra layer of security by generating a verifier that is transformed into a challenge to ensure that even if the authorization code is intercepted, it is not useful without the original verifier. Follow the steps below to enable and configure the use of the authorization code flow with PKCE. 1\. First, on the \[Application details\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/application-details) screen, click \*\*Edit\*\* and \*\*enable the use of the authorization code flow with PKCE\*\*. With the field enabled, Mercado Pago will require the \`code\_challenge\` and \`code\_method\` fields in OAuth requests. 2\. The fields can be generated in various ways, either through custom development or using SDKs. Follow the necessary steps described in \[this official documentation\](https://datatracker.ietf.org/doc/html/rfc7636#section-4) to generate the required fields. 3\. After generating and encrypting the fields, it will be necessary to send the respective codes to Mercado Pago. To do this, send them via \`query\_params\` using the authentication URL below. \`\`\`URL https://auth.mercadopago.com/authorization?response\_type=code&client\_id=$APP\_ID&redirect\_uri=$YOUR\_URL&code\_challenge=$CODE\_CHALLENGE&code\_challenge\_method=$CODE\_METHOD \`\`\` - \*\*Redirect\_uri\*\*: URL provided in the "Redirect URL" field of \[your application\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/application-details). - \*\*Code\_verifier\*\*: code that should be generated, following the requirements for its functionality, which include: a random sequence of characters with a length between 43 and 128 characters, including uppercase letters, lowercase letters, numbers, and some special characters. For example: \*\*47DEQpj8HBSa-\_TImW-5JCeuQeRkm5NMpJWZG3hSuFU\*\*. - \*\*Code\_challenge\*\*: next, it is necessary to create a \`code\_challenge\` from the \`code\_verifier\` using one of the following transformations: - If it's possible to use \*\*S256\*\*, it will be necessary to use this option by transforming the \`code\_verifier\` into a \`code\_challenge\` through \`BASE64URL\` encoding after applying the "SHA256" function. - If it's not possible to use \*\*S256\*\* for some technical reason and the server supports the \*\*Plain\*\* method, it's possible to set the c\`ode\_challenge\` equal to the \`code\_verifier\`. - \*\*Code\_challenge\_method\*\*: is the method used to generate the \`code\_challenge\`, as described in the above item. This field can be, for example, \*\*S256\*\* or \*\*Plain\*\*, depending on the encoding selected in the \`code\_challenge stage\`. 4\. After correctly sending the codes to Mercado Pago, you will obtain the necessary authorization (\`code\_verifier\`) for get the Access Token and perform PKCE verification on transactions made with OAuth. ### Get token Access Token is the code used in different requests of public origin to access a protected resource. In this flow, that represents an authorization granted by a seller to a client application that contains scopes and a limited period of time for such access. Follow the steps below to obtain it. > WARNING > > Attention > > It is recommended to carry out this procedure all at once together with the user, since the code received by the "Redirect URL" after authorization is valid for 10 minutes and the Access Token received through the endpoint is valid for 180 days (6 months). 1\. Edit your application so that it contains your Redirect URL. See \[Edit application\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/application-details). 2\. Send the \*\*authentication URL\*\* to the seller whose account you want to link to yours with the following fields: \`\`\`Authentication\_URL https://auth.mercadopago.com/authorization?client\_id=APP\_ID&response\_type=code&platform\_id=mp&state=RANDOM\_ID&redirect\_uri= https://www.mercadopago.com.br/developers/example/redirect-url \`\`\` |Field|Description| |---|---| |Client\_id| Replace the "APP\_ID" value with your \*\*application number\*\*. Check \[Application ID\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/application-details) for more information.| |State| Replace the "RANDOM\_ID" value with an identifier that is unique for each attempt and does not include sensitive information so that you can identify who the received code is from. This way, you can ensure that the response belongs to a request initiated by the same application.| |Redirect\_uri| Add the reported URL in the "Redirect URLs" field of your application. \*\*Make sure that the redirect\_uri is a static URL\*\* Check \[Application ID\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/application-details) for more information.| > If you want to send additional parameters in the \`redirect\_uri\`, use the \`state\` parameter to include that information. Otherwise, the call will receive an error response if the URL does not exactly match the application's configuration. 3\. Wait for the seller to access the URL and allow access. Upon accessing the URL, the seller will be directed to Mercado Pago and must log into their account to carry out the authorization. 4\. Check your server's \*\*Redirect URL\*\* to see the authorization code returned in the \*\*code\*\* parameter. \`\`\`Redirect\_URL https://www.mercadopago.com.br/developers/example/redirect-url \`\`\` 5\. Send your \[credentials\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/credentials) (\`client\_id\` and \`client\_secret\`), the \*\*authorization code\*\* (\`code\`) returned and, if you have \[configured the PKCE\](https://www.mercadopago.com.pe/developers/en/docs/security/oauth/creation#:\~:text=Access%20Token.-,Configure%20PKCE,-The%20PKCE%20), the \`code\_verifier\` to the \[/oauth/token\](https://www.mercadopago.com.pe/developers/en/reference/authentication/oauth/\_oauth\_token/post) endpoint to receive the Access Token in response. * [curl ](#editor%5F4) * [java ](#editor%5F2) * [node ](#editor%5F3) * [php ](#editor%5F1) php java node curl ``` client_secret = "CLIENT_SECRET"; $request->client_id = "CLIENT_ID"; $request->code = "CODE"; $request->redirect_uri = "REDIRECT_URI"; $client->create($request); ?> ``` Copiar ``` OauthClient client = new OauthClient(); String authorizationCode = "TG-XXXXXXXX-241983636"; client.createCredential(authorizationCode, null); ``` Copiar ``` const client = new MercadoPagoConfig({ accessToken: 'access_token', options: { timeout: 5000 } }); const oauth = new OAuth(client); oauth.create({ 'client_secret': 'your-client-secret', 'client_id': 'your-client-id', 'code': 'return-of-getAuthorizationURL-function', 'redirect_uri': 'redirect-uri' }).then((result) => console.log(result)) .catch((error) => console.log(error)); ``` Copiar ``` curl -X POST \ 'https://api.mercadopago.com/oauth/token'\ -H 'Content-Type: application/json' \ -d '{ "client_id": "client_id", "client_secret": "client_secret", "code": "TG-XXXXXXXX-241983636", "grant_type": "authorization_code", "redirect_uri": " https://www.mercadopago.com.br/developers/example/redirect-url ", "test_token": "false" }' ``` Copiar \> To generate \*\*sandbox\*\* credentials for testing, send the \`test\_token\` parameter with the value \`true\`. ## Client credentials This flow is used when applications request an Access Token using only their own credentials and to access their own resources. The main difference compared to other flows is that the user does not interact in the process, and consequently, the application cannot act on behalf of the user. ### Get token Access Token is the code used in different requests of public origin to access a protected resource. In this flow, the Access Token is obtained without user interaction and only to access the application's own resources. Follow the steps below to obtain it. 1\. Send your \[credentials\](https://www.mercadopago.com.pe/developers/en/docs/your-integrations/credentials) (\`client\_id\` and \`client\_secret\`) to the \[/oauth/token\](https://www.mercadopago.com.pe/developers/en/reference/authentication/oauth/\_oauth\_token/post) endpoint with the \`client\_credentials\` code in the \`grant\_type\` parameter to receive a new response with a new \`access\_token\`. 2\. Update the application with the Access Token received in the response. > WARNING > > Attention > > \*\*The received token is valid for 6 hours.\*\* Don't forget to renew it before the expiration period so that your applications continue to work correctly. * [curl ](#editor%5F7) * [node ](#editor%5F6) * [php ](#editor%5F5) php node curl ``` client_secret = "CLIENT_SECRET"; $request->client_id = "CLIENT_ID"; $client->create($request); ?> ``` Copiar ``` const client = new MercadoPagoConfig({ accessToken: 'access_token', options: { timeout: 5000 } }); const oauth = new OAuth(client); oauth.create({ 'client_secret': 'your-client-secret', 'client_id': 'your-client-id', }).then((result) => console.log(result)) .catch((error) => console.log(error)); ``` Copiar ``` curl -X POST \ 'https://api.mercadopago.com/oauth/token'\ -H 'Content-Type: application/json' \ -d '{ "client_id": "client_id", "client_secret": "client_secret", "grant_type": "client_credentials", }' ``` Copiar