> ## Documentation Index > Fetch the complete documentation index at: https://docs.dintero.com/llms.txt > Use this file to discover all available pages before exploring further. # Get Token > Use this endpoint to directly request an access_token ### Client Access Token Use HTTP Basic authentication scheme for authenticating grant_type `client_credentials`, use client_id/client_secret as user/password. ### Code/Password Token Use HTTP Bearer authentication scheme for authenticating grant_type `authorization_code` or `password`, where the Bearer value must be a JWT toke with access to the token endpoint. ### Account User Token Use HTTP Bearer authentication scheme for authenticating grant_type `account_user_token`, where the Bearer value must be a account user JWT token. > Use ID token as Bearer toke if the user was authenticated > externally. The ID must include a `email` claim that > identifies the account user. ### Refresh Token Use HTTP Bearer authentication scheme for authenticating grant_type `refresh_token` where the Bearer value **must** be an Access Token for the clients that was used to create the Refresh Token. ### Multi-factor authentication (MFA) When a request is made to the endpoint to get an access token, normally you either get an error, or you get an access token. However, when the MFA is enabled, the endpoint may return a new error with `error.code: mfa_required`. When an `mfa_required` error is returned, the client must perform a `challenge`. This is done by sending a request to the [auth/mfa/challenge](/management-auth-api/challenge/aid_auth_mfa_challenge_post) endpoint To verify MFA using an OOB challenge, the client must make a request to this endpoint with `grant_type=mfa-oob`. Include the `oob_code` you received from the challenge response, as well as the `mfa_token` you received as part of mfa_required error. scopes: - admin:accounts - write:accounts - write:accounts:/auth/users - write:accounts:/auth/users/no-mfa ## OpenAPI ````yaml /mintlify-docs/openapi/spec-payments.yaml post /accounts/{oid}/auth/token openapi: 3.0.0 info: title: Payments API contact: name: API Integration Support email: integration@dintero.com description: > Public endpoints for payments, including checkout, payout and settlement reports. version: LATEST license: name: UNLICENSED url: https://dintero.com x-logo: url: https://docs.dintero.com/img/dintero-dark-padded.svg altText: Dintero Logo servers: - url: https://checkout.dintero.com/v1 security: - apikey: [] tags: - name: Transactions x-displayName: Transactions description: | View and perform operations on transactions - name: session x-displayName: Sessions description: | A Checkout Session relates to an order in your system. When an order has been placed you create a corresponding Checkout Session to receive payment for that order. - name: payment x-displayName: Payment description: | Resources used by the customer aka user to complete the payment of a session. - name: settlements x-displayName: Settlement reports description: Get settlement reports generated per payout - name: settlements.configuration x-displayName: Configuration description: Configure settlement reports - name: reports x-displayName: Reports description: List the generated monthly transaction reports - name: example-session-callbacks x-displayName: Callback description: | Example of recieved callbacks from Dintero's servers. - name: fund-transfers x-displayName: Fund Transfer description: Transfer funds between sellers - name: Sellers x-displayName: Sellers description: Manage the signup of a new Seller / Merchant account - name: example-session-callbacks x-displayName: Example Callbacks description: Example of callbacks delivered - name: v2-fund-transfers x-displayName: Fund Transfer description: Transfer funds between sellers - name: v2-config-payout-destinations x-displayName: Sellers description: Get payout data for sellers paths: /accounts/{oid}/auth/token: post: tags: - authenticate summary: aid_auths_oauth_token_post description: > Use this endpoint to directly request an access_token ### Client Access Token Use HTTP Basic authentication scheme for authenticating grant_type `client_credentials`, use client_id/client_secret as user/password. ### Code/Password Token Use HTTP Bearer authentication scheme for authenticating grant_type `authorization_code` or `password`, where the Bearer value must be a JWT toke with access to the token endpoint. ### Account User Token Use HTTP Bearer authentication scheme for authenticating grant_type `account_user_token`, where the Bearer value must be a account user JWT token. > Use ID token as Bearer toke if the user was authenticated > externally. The ID must include a `email` claim that > identifies the account user. ### Refresh Token Use HTTP Bearer authentication scheme for authenticating grant_type `refresh_token` where the Bearer value **must** be an Access Token for the clients that was used to create the Refresh Token. ### Multi-factor authentication (MFA) When a request is made to the endpoint to get an access token, normally you either get an error, or you get an access token. However, when the MFA is enabled, the endpoint may return a new error with `error.code: mfa_required`. When an `mfa_required` error is returned, the client must perform a `challenge`. This is done by sending a request to the [auth/mfa/challenge](/management-auth-api/challenge/aid_auth_mfa_challenge_post) endpoint To verify MFA using an OOB challenge, the client must make a request to this endpoint with `grant_type=mfa-oob`. Include the `oob_code` you received from the challenge response, as well as the `mfa_token` you received as part of mfa_required error. scopes: - admin:accounts - write:accounts - write:accounts:/auth/users - write:accounts:/auth/users/no-mfa operationId: aid_auths_oauth_token_post parameters: - $ref: '#/components/parameters/owner' requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthToken' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AccessToken' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/AccessForbidden' '403': description: Forbidden content: application/json: schema: allOf: - $ref: '#/components/schemas/Error' - properties: mfa_token: type: string description: > Included in the response if `mfa_required` in `error.code` is returned. The client must then perform a `challenge`. This is done by sending a request to the [/mfa/challenge](/management-auth-api/challenge/aid_auth_mfa_challenge_post) endpoint. '429': $ref: '#/components/responses/TooManyRequests' '500': $ref: '#/components/responses/ServerError' security: - clientAuth: [] - JWT: [] components: parameters: owner: name: oid description: | An id that uniquely identifies the account or owner (partner) in: path required: true schema: type: string format: ^[PT]{1}(?=(?:.{3}|.{8})$)[0-9]*$ schemas: AuthToken: discriminator: propertyName: grant_type mapping: client_credentials: $ref: '#/components/schemas/client_credentials' oneOf: - $ref: '#/components/schemas/client_credentials' AccessToken: type: object required: - access_token - token_type - expires_in properties: access_token: type: string description: A JWT access token example: eyJhbGci...t7P4 token_type: type: string enum: - Bearer expires_in: type: integer description: | The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. example: 86400 refresh_token: type: string description: | Token that can be used to request new tokens when the existing Access Token expire. You can only get a Refresh Token if the Access Token used in the request has scope: - `create:accounts:auth:refresh_token` and the `grant-type` is one of: - `authorization_code` - `password` **NOTE**: - A Single-Page Application should not ever receive a Refresh Token, this information is sensitive and should not be exposed client-side in a browser. - Refresh token must be stored securely by an application since they allow a user to remain authenticated essentially forever. Error: type: object required: - error properties: error: type: object required: - message properties: code: type: string description: The code used to identify the error/warning errors: type: array description: The nested error(s) encountered during validation items: type: object message: type: string description: The human readable description of the error/warning client_credentials: description: Client token credential x-discriminator-value: client_credentials type: object allOf: - $ref: '#/components/schemas/AuthTokenBase' - required: - audience properties: audience: type: string example: https://api.dintero.com/v1/accounts/P00000000 description: | The unique identifier of the target API you want to access. The audience must be a grant associated with the client title: client_credentials AuthTokenBase: type: object properties: grant_type: type: string required: - grant_type responses: BadRequest: description: Bad / Invalid request content: application/json: schema: $ref: '#/components/schemas/Error' AccessForbidden: description: Access forbidden, invalid JWT token was used content: application/json: schema: $ref: '#/components/schemas/Error' TooManyRequests: description: Too Many Requests headers: Retry-After: description: | Indicates how long the user agent should wait in seconds before making a follow-up request. schema: type: integer content: application/json: schema: $ref: '#/components/schemas/Error' ServerError: description: Unexpected Error content: application/json: schema: $ref: '#/components/schemas/Error' securitySchemes: apikey: type: apiKey in: header description: > X-API-Key authentication for accessing regular endpoints. Use [Create api-key](/checkout-api/api-keys/admin_api_keys_post) to create a key. The content of the header should look like the following: x-api-key: {api_key} name: x-api-key clientAuth: type: http description: | Authorization by using the **Basic** schema with client_id and client_secret as username/password scheme: basic JWT: type: http description: > Bearer authentication (token authentication) should be used for accessing the API. Use [Get Token](/api-reference/authenticate/aid_auths_oauth_token_post) to get an access token for client credentials. Pass the token in the request header: Authorization: Bearer {access_token} where the **access_token** is JSON Web Tokens (JWT). scheme: bearer bearerFormat: JWT ````