> ## Documentation Index
> Fetch the complete documentation index at: https://docs.apocor.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Get an access token

> Exchange an Apocor API key (`client_id` + `client_secret`) for a short-lived bearer access token. This is the only credential your services ever need — Apocor manages every upstream provider on your behalf. **No `Authorization` header is required** — this endpoint issues the token; it does not consume one.



## OpenAPI

````yaml /openapi.json post /v1/oauth/token
openapi: 3.1.0
info:
  title: Apocor Core API
  version: 1.0.0
  description: >-
    The Apocor Cards API is the integration surface for issuing and managing
    cards. Authenticate with your Apocor API key, onboard applicants, run KYC,
    and issue virtual or physical cards — all through one white-labeled API.
  contact:
    name: Apocor Support
    url: https://apocor.com
servers:
  - url: https://sandbox.apocor.ai
    description: Sandbox (live)
  - url: https://api.apocor.com
    description: Production
  - url: http://localhost:4000
    description: Local development
security:
  - bearerAuth: []
tags:
  - name: Authentication
    description: Exchange Apocor API keys for a short-lived access token.
  - name: Applicants
    description: End-users and businesses, plus their identity verification (KYC).
  - name: KYC
    description: >-
      Identity verification settings, hosted sessions, BYOK share tokens, and
      issuer readiness.
    x-group: Identity verification (KYC)
  - name: Accounts
    description: Funding accounts that back issued cards.
  - name: Programs
    description: Card programs that define product type, currency, and BIN.
  - name: Cardholders
    description: Approved applicants turned into cardholders.
  - name: Cards
    description: Issue and manage virtual and physical cards.
  - name: Transactions
    description: Card transaction history from the issuer or local ledger.
  - name: Sandbox
    description: Sandbox-only simulation helpers for testing authorizations and KYC.
  - name: Session
    description: The authenticated principal behind the current access token.
    x-group: Account & API keys
  - name: API Keys
    description: Create, list, and revoke the API keys used to obtain access tokens.
    x-group: Account & API keys
  - name: Organizations
    description: Tenants (integrators / sub-orgs) managed on the platform.
  - name: Billing
    description: Platform credit balance, funding wallets, and the pay-as-you-go ledger.
  - name: Onboarding
    description: Invite-token onboarding flow for new users (no access token required).
  - name: Webhooks
    description: >-
      Inbound events Apocor receives from upstream providers. Apocor verifies
      the signature and processes these asynchronously — you do not call them.
  - name: System
    description: Service health probes used by load balancers and uptime monitors.
paths:
  /v1/oauth/token:
    post:
      tags:
        - Authentication
      summary: Get an access token
      description: >-
        Exchange an Apocor API key (`client_id` + `client_secret`) for a
        short-lived bearer access token. This is the only credential your
        services ever need — Apocor manages every upstream provider on your
        behalf. **No `Authorization` header is required** — this endpoint issues
        the token; it does not consume one.
      operationId: createOauthToken
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/OAuthTokenRequest'
            example:
              client_id: apocor_1a2b3c4d5e6f7g8h
              client_secret: apocor_sk_live_9i8u7y6t5r4e3w2q1...
      responses:
        '200':
          description: Access token issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              example:
                access_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
                token_type: Bearer
                expires_in: 3600
        '401':
          $ref: '#/components/responses/Unauthorized'
      security: []
components:
  schemas:
    OAuthTokenRequest:
      type: object
      required:
        - client_id
        - client_secret
      properties:
        client_id:
          type: string
          description: The `prefix` of your Apocor API key.
        client_secret:
          type: string
          description: The secret shown once when the key was created.
    TokenResponse:
      type: object
      properties:
        access_token:
          type: string
        token_type:
          type: string
          example: Bearer
        expires_in:
          type: integer
          example: 3600
    Error:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
              description: Stable, machine-readable error code.
            message:
              type: string
              description: Human-readable explanation.
  responses:
    Unauthorized:
      description: Missing or invalid credentials.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            error:
              code: INVALID_CLIENT
              message: Invalid client credentials
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        Bearer access token obtained from `POST /v1/oauth/token` using your
        Apocor API key.

````