QFAST API Documentation
    • Authentication
    • Onboarding
      • Overview
      • Reference
        • Area Reference
      • API
        • Onboarding Personal
        • Get Onboarding Status
        • Submit Loan
        • Get Loan
      • Webhook
        • Onboarding Webhooks
    • Disbursement
      • Overview
      • Webhook
        • Disbursement Webhooks
    • Repayment
      • Overview
      • Webhook
        • Repayment Webhooks
    • Schemas
      • Loan Schema
      • Onboarding Schema

    Authentication

    All QFAST API requests require a Bearer token obtained via the OAuth2 Client Credentials grant. This is a server-to-server (machine-to-machine) flow — no user login is involved.

    Credentials#

    QFAST provisions a client_id and client_secret for each lender during account setup. Contact the QFAST team to receive yours. Each credential pair is tied to your lender account and must be kept confidential.

    1. Obtain an Access Token#

    Endpoint: POST /v1/oauth2/token
    Headers:
    Content-Type: application/json
    Accept: application/json
    Request Body:
    {
      "grant_type": "client_credentials",
      "client_id": "<your_client_id>",
      "client_secret": "<your_client_secret>"
    }
    FieldTypeRequiredDescription
    grant_typeStringYesMust be client_credentials.
    client_idUUIDYesYour OAuth2 client identifier.
    client_secretStringYesYour OAuth2 client secret.

    Success Response (200 OK)#

    {
      "token_type": "Bearer",
      "expires_in": 300,
      "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
    }
    FieldTypeDescription
    token_typeStringAlways Bearer.
    expires_inIntegerToken lifetime in seconds. Default: 300 (5 minutes).
    access_tokenStringJWT token. Use this in the Authorization header.
    No refresh token. Client Credentials grant does not issue a refresh token. Request a new token before the current one expires.

    Example#


    2. Use the Token#

    Include the access token in every API request:
    Authorization: Bearer <access_token>

    Example#


    3. Token Lifecycle#

    Token expiry is short (5 minutes). Your integration must handle token renewal proactively.
    Recommended approach:
    1.
    Request a token before making API calls.
    2.
    Cache the token and reuse it until expires_in seconds have elapsed.
    3.
    When the token is close to expiry (or a 401 is received), request a new one.
    4.
    Never hardcode tokens — always fetch them programmatically.

    4. Error Responses#

    Token Request Errors#

    400 Bad Request
    {
      "error": "invalid_request",
      "error_description": "Missing required parameter: grant_type",
      "code": 400
    }
    400 Bad Request (Unsupported Grant Type)
    {
      "error": "unsupported_grant_type",
      "error_description": "Grant type must be client_credentials",
      "code": 400
    }
    401 Unauthorized
    {
      "error": "invalid_client",
      "error_description": "Client authentication failed: invalid client_id or client_secret",
      "code": 401
    }
    HTTP StatusErrorCause
    400invalid_requestMissing required parameter.
    400unsupported_grant_typeGrant type is not client_credentials.
    401invalid_clientWrong client_id or client_secret.

    API Request Errors#

    401 Unauthorized
    {
      "error": "invalid_token",
      "error_description": "The access token is missing, invalid, or expired.",
      "code": 401
    }
    403 Forbidden
    {
      "error": "forbidden",
      "error_description": "Token is valid but the resource belongs to a different lender.",
      "code": 403
    }
    HTTP StatusErrorCause
    401invalid_tokenMissing, invalid, or expired access token.
    403forbiddenToken is valid but the resource belongs to a different lender.
    Next
    Overview
    Built with