Get Token
Endpoint to obtain OAuth 2.0 access token using client credentials.
📥 Postman Collection
URLs
| Method | URL | Action | Description |
|---|---|---|---|
| POST | /api/token | Authenticate | Gets access token using client_credentials |
Production:
{security-producao}/api/tokenStaging:
{security-homologacao}/api/tokenAuthentication
This endpoint uses OAuth 2.0 flow with grant_type: client_credentials. Credentials must be sent as query string parameters.
Get Token
Request
Endpoint: POST {security-producao}/api/token
Query Parameters:
grant_type:client_credentials(required)client_id: Client ID provided by Fanbase (required)client_secret: Client secret provided by Fanbase (required)
Example URL:
POST {security-producao}/api/token?grant_type=client_credentials&client_id=your_client_id&client_secret=your_client_secretSuccess Response
Status: 200 OK
json
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "refresh_token_here",
"scope": "fbserver openid profile ownersecret fanaccount accountdeletion fanbaseaccountpermission fullaccountcheck setpwd"
}Response Fields
| Field | Type | Description |
|---|---|---|
access_token | string | JWT access token |
token_type | string | Token type (always "Bearer") |
expires_in | number | Expiration time in seconds |
refresh_token | string | Token for access renewal |
scope | string | Permission scopes granted |
Token Usage
The obtained token must be sent in the AccessToken header in all subsequent requests to Connect API endpoints.
Example:
AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Implementation Example
javascript
async function getToken(clientId, clientSecret) {
const params = new URLSearchParams({
grant_type: 'client_credentials',
client_id: clientId,
client_secret: clientSecret
});
const response = await fetch(`{security-producao}/api/token?${params}`, {
method: 'POST'
});
if (!response.ok) {
throw new Error(`Error ${response.status}: ${response.statusText}`);
}
const data = await response.json();
return data.access_token;
}Error Handling
In case of invalid credentials or request error, the API will return an appropriate HTTP status code (400, 401, etc.) with an error message in the response body.
Security
- The
client_secretshould never be exposed in the frontend - Use this endpoint only in server-to-server communication
- Store the token securely and renew it before expiration
- Do not share tokens between different applications or environments