Guides
Engineering BlogHelp Centre

Getting an access token

Get an access token using your API key to make authenticated requests to the API.

Suggest Edits

In this guide, we'll walk you through the process of obtaining an access token. Access tokens are crucial for authorizing your requests to our API.

Follow the steps below to seamlessly integrate access token retrieval into your application.

Access token request

To obtain an access token, you'll need to make a request to our authorization server using your client credentials.

You can read our reference data for the API and try it out via our Auth API Reference.

Here's an example POST request to the /oauth2/token endpoint:

curl -XPOST https://demo.mention-me.com/api/oauth/token \	
    -H 'Content-Type: application/json' \
    -d '{ "client_id": "<client-id>", "client_secret": "<client-secret>", "grant_type": "client_credentials" }'

Replace <client-id> and <client-secret> with your API key's client ID and secret respectively.

Access token response

Upon a successful request, the authorization server will respond with a JSON Web Token (JWT) in the access token. Here's an example response:

{
  "access_token": "<jwt>",    
  "expires_in": 3600,
  "token_type": "bearer" 
}

And a definition of our response here:

  • access_token: The JWT representing your access token
  • token_type: The type of token. In this case, it's "bearer"
  • expires_in: The expiration time of the access token in seconds (e.g., 3600 seconds equals one hour).

Handling errors

While obtaining an access token, errors may occur due to various reasons. For a detailed explanation of potential errors and their resolutions, refer to our Errors Guide.

JWT explained

Access tokens returned are JSON Web Tokens, or JWTs. JWTs are a standardised way of representing claims between two parties. In this case, the two parties are your application and Mention Me.

You can use the debug tool at JWT.io to debug what access a token has.

A typical access token will have a payload that looks something like:

{
  "aud": [
    "project-test-2da703ca-e983-410e-93d0-442bb05b9b06"
  ],
  "claims": {
    "env": "demo",
    "merchantId": "4259"
  },
  "exp": 1706201080,
  "iat": 1706197480,
  "iss": "stytch.com/project-test-2da703ca-e983-410e-93d0-442bb05b9b06",
  "nbf": 1706197480,
  "scope": "customers:list",
  "sub": "m2m-client-test-3191ab24-133b-4634-a02d-0ec6249dd481"
}

The Mention Me specific fields are:

  • claims: This shows what Environment and Merchant a token can be used for
    • env: In this case, we have access to the demo environment
    • merchantId: In this case, this token can be used for Merchant 4259
  • scope: This shows the scopes that the token has access to

Token expiration

Access tokens have a limited lifespan for security reasons. In our case, tokens expire after one hour. It's essential to implement a mechanism to refresh tokens when they expire, ensuring uninterrupted access to the API.

Updated 8 months ago

What’s Next

Choose the right scope for your application