Skip to main content

Access Token Request for Userโ€‹

The Access Token Request API is one of the vital component of the token generation workflow, designed to streamline the process of granting access to resources. It facilitates secure communication by triggering a user-driven approval process.

The following illustration depicts the flow and the actions performed by both the Initiator and the Account Holder.

Login flow

Here's how the process works in detail:

Step 1: Initiating the Request

When the API is invoked, a request for an access token is generated. This triggers a notification to the user, informing them of the pending action required to either approve or reject the request.

Step 2: User Notification

The user is notified through multiple channels to ensure they are aware of the request. Notifications are sent via:

  • In-App (Upstox Mobile/Web): A prompt appears within the Upstox mobile or web platform.
  • WhatsApp: An additional notification is sent to the user's WhatsApp account for convenience.

These notifications provide the necessary details about the request, including the reason and origin, enabling the user to make an informed decision.

Step 3: User Action

The user can either approve or reject the request based on their discretion:

  • Approval: If the user approves the request, the access token is securely transmitted to the designated Notifier Webhook Endpoint, which was configured during the app setup process. This ensures that the token reaches the appropriate endpoint for further use.
  • Rejection: If the user rejects the request, the token generation process is terminated, and the request is discarded. No token is created or sent.

Note: It is crucial to distinguish this API from the standard token generation API, which is used for generating tokens independently by the Account Holder without external initiation.

Requestโ€‹

curl -X 'POST' 'https://api.upstox.com/v3/login/auth/token/request/678d46e1-91ac-4b8d-925d-89c8e3015c2b' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
  "client_secret": "{your_client_secret}"
}'

For additional samples in various languages, please refer to the Sample code section on this page.

Path Parametersโ€‹

NameRequiredTypeDescription
client_idtruestringThe API key obtained during the app generation process.

Request Bodyโ€‹

NameRequiredTypeDescription
client_secrettruestringThe API secret obtained during the app generation process. This private key remains confidential, known only to the application and the authorization server.
Responses

Response Bodyโ€‹

{
    "status": "success",
    "data": {
        "authorization_expiry": "1732226400000",
        "notifier_url": "https://initiator-webhook-endpoint"
    }
}
NameTypeDescription
statusstringA string indicating the outcome of the request. Typically success for successful operations.
dataobjectResponse data for token request
data.authorization_expirystringAn expiration time for the access token generation process, starting from the moment a initiator requests the token until the 3:30 AM the following day.
data.notifier_urlstringThe Notifier webhook endpoint where the access token is to be sent. The Notifier webhook endpoint must be configured during the app generation process.

Notifier Webhookโ€‹

Once the user approves the initiator's request to generate an access token, the Upstox API will send the following payload to the specified notifier webhook URL:

Response structure:โ€‹


{
    "client_id": "615b1297-d443-3b39-ba19-1927fbcdddc7",
    "user_id": "******",
    "access_token": "*********",
    "token_type": "Bearer",
    "expires_at": "1731448800000",
    "issued_at": "1731412800000",
    "message_type": "access_token"
}
NameTypeDescription
client_idstringThe API key associated with the app during its generation process, for which the access token has been successfully generated.
user_idstringUniquely identifies the user (commonly referred as UCC)
access_tokenstringThe generated authentication token to be used for all subsequent API requests.
token_typestringThe type of token issued, indicating the authentication scheme to be used, such as Bearer.
expires_atstringThe timestamp indicating when the access token will expire. After this time, the token will no longer be valid for making API requests and a new token may need to be generated.
issued_atstringThe timestamp indicating when the access token was issued. It represents the exact time the token was generated.
message_typestringThe type of webhook response sent to the notifier url.
such as access_token

Authorization Expiryโ€‹

The access token request to obtain the access_token has a defined validity period that expires at 3:30 AM the following day, unless the user approves it sooner.

For example:

  • If the initiator requests the token at 8:00 PM on Tuesday, the request will expire at 3:30 AM on Wednesday, at which point it will expire.
  • Similarly, if the request is initiated at 2:30 AM on Wednesday, it will still expire at 3:30 AM on the same Wednesday.

Users are encouraged to approve the access token request promptly, keeping the expiration schedule in mind to ensure smooth access and usage.

Sample Codeโ€‹

Access token requestโ€‹

import requests

url = 'https://api.upstox.com/v3/login/auth/token/request/678d46e1-91ac-4b8d-925d-89c8e3015c2b'
headers = {
    'accept': 'application/json',
    'Content-Type': 'application/json',
}

data = {
    'client_secret': '{your_client_secret}'
}

response = requests.post(url, headers=headers, data=data)

print(response.status_code)
print(response.json())
Loading...