client_id and client_secret for each lender during account setup. Contact the QFAST team to receive yours. Each credential pair is tied to your lender account and must be kept confidential.POST /v1/oauth2/tokenContent-Type: application/json
Accept: application/json{
"grant_type": "client_credentials",
"client_id": "<your_client_id>",
"client_secret": "<your_client_secret>"
}| Field | Type | Required | Description |
|---|---|---|---|
grant_type | String | Yes | Must be client_credentials. |
client_id | UUID | Yes | Your OAuth2 client identifier. |
client_secret | String | Yes | Your OAuth2 client secret. |
{
"token_type": "Bearer",
"expires_in": 300,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
}| Field | Type | Description |
|---|---|---|
token_type | String | Always Bearer. |
expires_in | Integer | Token lifetime in seconds. Default: 300 (5 minutes). |
access_token | String | JWT token. Use this in the Authorization header. |
No refresh token. Client Credentials grant does not issue a refresh token. Request a new token before the current one expires.
Authorization: Bearer <access_token>expires_in seconds have elapsed.401 is received), request a new one.{
"error": "invalid_request",
"error_description": "Missing required parameter: grant_type",
"code": 400
}{
"error": "unsupported_grant_type",
"error_description": "Grant type must be client_credentials",
"code": 400
}{
"error": "invalid_client",
"error_description": "Client authentication failed: invalid client_id or client_secret",
"code": 401
}| HTTP Status | Error | Cause |
|---|---|---|
400 | invalid_request | Missing required parameter. |
400 | unsupported_grant_type | Grant type is not client_credentials. |
401 | invalid_client | Wrong client_id or client_secret. |
{
"error": "invalid_token",
"error_description": "The access token is missing, invalid, or expired.",
"code": 401
}{
"error": "forbidden",
"error_description": "Token is valid but the resource belongs to a different lender.",
"code": 403
}| HTTP Status | Error | Cause |
|---|---|---|
401 | invalid_token | Missing, invalid, or expired access token. |
403 | forbidden | Token is valid but the resource belongs to a different lender. |