Create and refresh token - OAuth - Mercado Pago Developers

Intelligent search powered by OpenAI

Create and 'refresh_token'

POST

https://api.mercadopago.com/oauth/token

This endpoint is used to create or refresh the necessary Access Token to operate your application.

BODY

RequiredOptional

grant_type

string

REQUIRED

Specify the type of operation to be performed to obtain your Access Token. In the case of Mercado Pago, there are three available access flows:

authorization_code: A flow based on redirection, characterized by user intervention to explicitly authorize the application to access their data and by the use of a code provided by the authentication server so that the application can obtain an Access Token and an associated 'refresh_token'.

refresh_token: If an Access Token generated from the 'authorization_code' flow is invalid or expired, this flow will be used to exchange a temporary grant of the 'refresh_token' type for an Access Token. This allows the Access Token to be refreshed without requiring further user interaction after the authorization granted by the 'authorization_code' flow.

client_credentials: Used to obtain an Access Token without user interaction. This flow is used when applications request an Access Token using only their own credentials to access their own resources, without acting on behalf of a user or accessing their data.

invalid_client

The provided client_id and/or client_secret of your app is invalid.

invalid_grant

There are several reasons for this error, it could be because the authorization_code or refresh_token is invalid, expired or revoked, was sent in an incorrect flow, belongs to another client, or the redirect_uri used in the authorization flow does not match what your application has configured.

invalid_scope

The requested scope is invalid, unknown, or wrongly formed. The allowed values for the scope parameter are “offline_access”, ”write” or ”read”.

invalid_request

The request does not include a required parameter, includes an unsupported parameter or parameter value, has a duplicated value, or is otherwise malformed.

unsupported_grant_type

Allowed values for grant_type are “authorization_code” or “refresh_token”.

forbidden

The call does not authorize access, possibly another user's token is being used.

unauthorized_client

The application does not have a grant with the user or the permissions (scopes) that the application has with this user do not allow creating a token.

local_rate_limited

The call does not authorize access, please try again.

curl -X POST \
    'https://api.mercadopago.com/oauth/token'\
    -H 'Content-Type: application/json' \
    -d '{
  "client_secret": "client_secret",
  "client_id": "client_id",
  "grant_type": "client_credentials",
  "code": "TG-XXXXXXXX-241983636",
  "code_verifier": "47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU",
  "redirect_uri": "https://www.redirect-url.com?code=CODE&state=RANDOM_ID",
  "refresh_token": "TG-XXXXXXXX-241983636",
  "test_token": "false"
}'

{
  "access_token": "APP_USR-4934588586838432-XXXXXXXX-241983636",
  "token_type": "bearer",
  "expires_in": 15552000,
  "scope": "read write offline_access",
  "user_id": 241983636,
  "refresh_token": "TG-XXXXXXXX-241983636",
  "public_key": "APP_USR-d0a26210-XXXXXXXX-479f0400869e",
  "live_mode": true
}

Documentation

Starting now?

Resources

Support

Partners

Community

Navigation

Resources and Community

Mercado Pago

Country and language