OAuth
Access Tokens
Once the merchant has agreed to your requested OAuth scopes, they'll be automatically sent to the redirect URI you specified when generating the connect URL. The final step in the OAuth sequence is for your server to use this redirect URI to create an OAuth access token for the merchant.
Values returned in the redirect URI
The redirect URI will include the following values as query parameters:
Query Parameter | Description |
---|---|
code |
The authorization code. Must be exchanged for an access token to make API calls on the merchant's behalf. |
merchantId |
The Braintree identifier for the merchant's account. Used to construct deep links to the Braintree Control Panel and to help our Support team troubleshoot any issues you might encounter. |
state |
The state value you specified when generating the connect URL, if you specified one. |
Creating an access token
You must exchange the authorization code
in the query string of the redirect_uri for an access_token. The access_token is used to perform actions on a merchant's behalf. The following example creates an access_token:
- Ruby
gateway = Braintree::Gateway.new(
:client_id => "use_your_client_id",
:client_secret => "use_your_client_secret",
)
result = gateway.oauth.create_token_from_code(
:code => code_from_query_string,
)
access_token = result.credentials.access_token
expires_at = result.credentials.expires_at
refresh_token = result.credentials.refresh_token
Managing access tokens
An OAuth access_token will expire 24 hours from its creation. To exchange the access_token (e.g. if the current token is expiring soon or you think it has been compromised in some way), you can use the refresh_token to get a new one. The refresh_token is provided when you get the initial access token and will expire 180 days from its creation. Using a refresh_token will give you both a new access_token and a new refresh_token.
- Ruby
gateway = Braintree::Gateway.new(
:client_id => "use_your_client_id",
:client_secret => "use_your_client_secret",
)
result = gateway.oauth.create_token_from_refresh_token(
:refresh_token => use_the_refresh_token,
)
access_token = result.credentials.access_token
expires_at = result.credentials.expires_at
refresh_token = result.credentials.refresh_token
You can then revoke the use of the original access token by providing it to the revoke access token API.
- Ruby
gateway = Braintree::Gateway.new(
:client_id => "use_your_client_id",
:client_secret => "use_your_client_secret",
)
result = gateway.oauth.revoke_access_token(merchant_access_token)
The connected merchant can revoke OAuth access via the Control Panel. You can be notified of this event by setting up the OAuth access revoked webhook.
Using a revoked access token will result in an authentication error.
Next steps
- See the OAuth Reference
- Learn more about sharing access to payment methods in your own Vault using the Shared Vault and Grant API