OAuth Token
POST
/o/token
Obtains an OAuth 2.0 access token using the client credentials grant type. This endpoint implements the OAuth 2.0 Client Credentials flow, which is designed for server-to-server authentication scenarios where a client application needs to access API resources on its own behalf, not on behalf of a user.
Request Headers
| Header | Required | Description |
|---|---|---|
| Authorization required | string | Basic authentication using Base64-encoded client credentials in the format: Basic [base64_encoded_string], where [base64_encoded_string] is the result of Base64-encoding client_id:client_secret. |
| Content-Type required | string | Must be set to application/x-www-form-urlencoded for this request. |
| Cache-Control optional | string | Recommended to use no-cache to prevent caching of sensitive token requests. |
Request Body Parameters
| Parameter | Type | Description |
|---|---|---|
| grant_type required | string | The OAuth 2.0 grant type. Must be set to client_credentials for this flow. |
Generating the Authorization Header
The Authorization header follows the Basic authentication scheme and requires your client ID and client secret encoded in Base64 format:
- Combine your client ID and client secret with a colon separator:
client_id:client_secret - Encode this string using Base64 encoding
- Prepend
Basicto the encoded string
The resulting header should look like: Authorization: Basic dGVzdF9jbGllbnRfaWQ6dGVzdF9jbGllbnRfc2VjcmV0
Example Request
POST /o/token
Authorization: Basic dGVzdF9jbGllbnRfaWQ6dGVzdF9jbGllbnRfc2VjcmV0
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
grant_type=client_credentials
Response Parameters
| Parameter | Type | Description |
|---|---|---|
| access_token | string | The access token to use for authenticating API requests. |
| token_type | string | The type of token, always Bearer. |
| expires_in | integer | Token validity period in seconds (typically 3600, which equals 1 hour). |
| scope | string | Space-separated list of access scopes granted to this token. |
| issued_at | string | ISO 8601 timestamp indicating when the token was issued. |
Example Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjIsInNjb3BlIjoicmVhZCB3cml0ZSJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "read write",
"issued_at": "2025-04-24T08:30:45Z"
}
Error Codes
| Status Code | Error Code | Description |
|---|---|---|
| 400 | invalid_request | The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed. |
| 401 | invalid_client | Client authentication failed, either missing or invalid client credentials. |
| 401 | unauthorized_client | The authenticated client is not authorized to use this grant type. |
| 403 | access_denied | The client does not have permission to request an access token with the requested scopes. |
| 429 | too_many_requests | Too many token requests in a short period. Please wait and try again. |
| 500 | server_error | The authorization server encountered an unexpected condition. |
| 503 | service_unavailable | The authorization server is temporarily unable to handle the request. |
Using the Access Token
After obtaining an access token, include it in the Authorization header of your API requests:
GET /payments/
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Code Examples
cURL
# Create the Base64 encoded credentials
BASE64_CREDENTIAL=$(echo -n "your_client_id:your_client_secret" | base64)
# Request the access token
curl -X POST https://api.cryptofuse.io/o/token \
-H "Authorization: Basic $BASE64_CREDENTIAL" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cache-Control: no-cache" \
-d "grant_type=client_credentials"
Python
import base64
import requests
# Your client credentials
client_id = "your_client_id"
client_secret = "your_client_secret"
# Create the Base64 encoded credentials
credentials = f"{client_id}:{client_secret}"
base64_credentials = base64.b64encode(credentials.encode()).decode()
# Set up the request
url = "https://api.cryptofuse.io/o/token"
headers = {
"Authorization": f"Basic {base64_credentials}",
"Content-Type": "application/x-www-form-urlencoded",
"Cache-Control": "no-cache"
}
data = {
"grant_type": "client_credentials"
}
# Make the request
response = requests.post(url, headers=headers, data=data)
token_data = response.json()
# Extract and store the access token
access_token = token_data["access_token"]
print(f"Access token: {access_token}")
# Use the token in subsequent API calls
api_headers = {
"Authorization": f"Bearer {access_token}"
}
api_response = requests.get("https://api.cryptofuse.io/payments/", headers=api_headers)
Node.js
const axios = require('axios');
// Your client credentials
const client_id = 'your_client_id';
const client_secret = 'your_client_secret';
// Create the Base64 encoded credentials
const credential = `${client_id}:${client_secret}`;
const base64Credential = Buffer.from(credential).toString('base64');
// Request the access token
async function getAccessToken() {
try {
const response = await axios({
method: 'post',
url: 'https://api.cryptofuse.io/o/token',
headers: {
'Authorization': `Basic ${base64Credential}`,
'Content-Type': 'application/x-www-form-urlencoded',
'Cache-Control': 'no-cache'
},
data: 'grant_type=client_credentials'
});
// Store the access token
const accessToken = response.data.access_token;
// Use the token in subsequent API calls
const apiResponse = await axios({
method: 'get',
url: 'https://api.cryptofuse.io/payments/',
headers: {
'Authorization': `Bearer ${accessToken}`
}
});
return apiResponse.data;
} catch (error) {
console.error('Error:', error.response ? error.response.data : error.message);
throw error;
}
}
getAccessToken();
PHP
<?php
// Your client credentials
$client_id = 'your_client_id';
$client_secret = 'your_client_secret';
// Create the Base64 encoded credentials
$credentials = base64_encode("$client_id:$client_secret");
// Set up the token request
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api.cryptofuse.io/o/token",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Authorization: Basic $credentials",
"Content-Type: application/x-www-form-urlencoded",
"Cache-Control: no-cache"
],
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => "grant_type=client_credentials"
]);
// Execute the request
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "Error: " . $err;
} else {
$token_data = json_decode($response, true);
$access_token = $token_data['access_token'];
// Use the token in subsequent API calls
$api_curl = curl_init();
curl_setopt_array($api_curl, [
CURLOPT_URL => "https://api.cryptofuse.io/payments/",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Authorization: Bearer $access_token"
]
]);
$api_response = curl_exec($api_curl);
curl_close($api_curl);
// Process the API response
$payments = json_decode($api_response, true);
}
?>
Postman Pre-request Script Example
If you're using Postman to test the API, you can use the following pre-request script to automatically generate the Base64 encoded credentials:
// Get client credentials from environment variables
const client_id = pm.environment.get('client_id');
const client_secret = pm.environment.get('client_secret');
// Verify the credentials exist
if (!client_id || !client_secret) {
console.error('Error: client_id or client_secret not set in environment variables');
} else {
// Create credentials in the format "client_id:client_secret"
const credential = `${client_id}:${client_secret}`;
// Encode credentials in Base64
const base64Credential = btoa(credential);
// Save the encoded credentials as an environment variable
pm.environment.set('base64_credential', base64Credential);
console.log('Base64 credentials generated successfully');
}
Postman Tests Script Example
You can also use the following Postman Tests script to automatically extract and store the access token from the response:
// Get response data
const responseData = pm.response.json();
// If the response contains an access token, save it to environment variables
if (responseData && responseData.access_token) {
pm.environment.set('access_token', responseData.access_token);
console.log('Access token saved to environment variables');
}
Security Best Practices
- Secure Storage: Store client credentials and access tokens securely. Never hardcode them in your application.
- HTTPS Only: Always use HTTPS for token requests and API calls to ensure data is encrypted in transit.
- Token Management: Implement proper token lifecycle management - request new tokens before the current ones expire and handle token errors appropriately.
- Minimum Scope: Request only the scopes your application needs to minimize security risks.
- Error Handling: Implement proper error handling for authentication failures that doesn't expose sensitive information.