Step 1: Generate an Access Token #

The client credentials flow is used when an application needs to obtain permission to act on its own behalf. An application will exchange it's client_id, client_secret, and grant_type=client_credentials for an application access token. An application access token can then be used to make calls to the Dwolla API on behalf of the application, for example, when you create a webhook subscription, retrieve events, and interact with a Customer related endpoint.

Request application authorization #

The client credentials flow is the simplest OAuth 2 grant, with a server-to-server exchange of your application's client_id and client_secret for an OAuth application access token. In order to execute this flow, your application will send a POST request with the Authorization header that contains the word Basic followed by a space and a base64-encoded string client_id:client_secret.

Example:

Authorization: Basic Base64(client_id:client_secret)

HTTP request

POST https://api.dwolla.com/token

Including the Content-Type: application/x-www-form-urlencoded header, the request is sent to the token endpoint with grant_type=client_credentials in the body of the request:

Request parameters

Example request

// Using DwollaV2 - https://github.com/Dwolla/dwolla-v2-node
// This example assumes you've already intialized the client. Reference the SDKs page for more information: https://developers.dwolla.com/sdks-tools
var Client = require("dwolla-v2").Client;
var appToken = new Client({
  key: process.env.DWOLLA_APP_KEY,
  secret: process.env.DWOLLA_APP_SECRET,
  environment: "sandbox", // defaults to 'production'
});

Refreshing an application access token

A refresh token is not paired with an application access token, therefore in order to refresh authorization you'll simply request a new application access token by exchanging your client credentials (as shown above).

That's it! You're ready to start making requests to the Dwolla API on behalf of your application.