Skip to main content

Authorization Code

POST/v1/token

This page is for plugin and integration developers building applications that act on behalf of a merchant.

Get Access Token (Authorization Code)

Use the authorization_code grant type when a third-party developer (such as a plugin or integration partner) needs to request access to a merchant's account on their behalf. Unlike client credentials, this flow involves redirecting the merchant to an RM consent screen where they approve the requested permissions.

Flow overview:

  1. Redirect the merchant to the RM authorization URL with your requested scopes.
  2. The merchant logs in and approves access.
  3. RM redirects back to your redirectUri with a temporary code.
  4. Exchange the code for an access token using this endpoint.

Step 1: Get Your Client ID

Go to RM Merchant Portal > Developer > Application to find your clientId.

Only clientId is needed for this step — you do not need clientSecret to build the authorization URL.

Step 2: Redirect the Merchant to the Authorization URL

Build the authorization URL using the parameters below and redirect the merchant's browser to it.

responseTypeStringrequired

Must be set to "code".

Example: "code"

clientIdStringrequired

Your application's Client ID from the Merchant Portal.

Example: "3675930941412424316"

redirectUriStringrequired

The URL to redirect the merchant to after approval. Must exactly match the redirect URI registered in the Merchant Portal.

Example: "https://example.com/oauth/callback"

scopeStringrequired

Permissions to request, as a comma-separated list with no spaces. Supported values: manage_payment, get_merchant_profile, get_user_profile, manage_store.

Example: "manage_payment,get_merchant_profile"

stateString

An optional value you define. RM will include it in the redirect response unchanged — useful for CSRF protection or tracking session state.

Example: "abc123"

Example authorization URL:

Authorization URL
Text
https://sb-oauth.revenuemonster.my/authorize
  ?responseType=code
  &clientId=3675930941412424316
  &redirectUri=https://example.com/oauth/callback
  &scope=manage_payment
  &state=abc123

After the merchant approves, RM redirects them to your redirectUri with a code query parameter:

Redirect Response
Text
https://example.com/oauth/callback?code=<AUTHORIZATION_CODE>&state=abc123

Step 3: Exchange the Code for an Access Token

Use the code from the redirect to request an access token. Include your Base64-encoded clientId:clientSecret in the Authorization header (same as the Client Credentials flow).

Request Parameters

grantTypeStringrequired

Must be set to "authorization_code".

Example: "authorization_code"

codeStringrequired

The authorization code received from the redirect in Step 2.

Example: "<AUTHORIZATION_CODE>"

redirectUriStringrequired

Must exactly match the redirect URI used in Step 2.

Example: "https://example.com/oauth/callback"

Response Parameters

accessTokenString

Bearer token to include in all subsequent API requests.

Example: eyJhbGci...

tokenTypeString

Token scheme. Always "Bearer".

Example: "Bearer"

expiresInNumber

Access token lifetime in seconds. 2,591,999 seconds ≈ 30 days.

Example: 2591999

refreshTokenString

Use this to get a new access token once the current one expires. See Refresh Token.

Example: OgoHjoZy...

refreshTokenExpiresInNumber

Refresh token lifetime in seconds.

Example: 1576799999

Last updated on by Aiman Danish