Get a Bearer Token

Bearer tokens allow your app to access WAX ExpressTrade and other API endpoints on a user’s behalf, limited to the OAuth Scopes a user has granted.

Once a user signs in to WAX All Access and approves your app, you can use the code parameter returned in the redirect_uri to get a bearer token.

Authorization: Return URL

WAX All Access returns the following parameters to your app:

Parameter Example Description
state state=1234567 The state value that was passed in your Authorization URL. Use this to make sure that the return authorization originated from your app.
error &error=access_denied Only included if the user denied access. Returns access_denied (the literal string).
code code=xxYxyxXxy9XX9XXy Included when the user approves access. You can use this authorization code to get a bearer token and make API calls on a user's behalf.

Example (Approved)

Exchange Your Authorization Code

To exchange your code for a bearer token, you’ll need to call the access_token endpoint.


Environment URL

Header Parameters

You’ll need to use Basic authorization to authenticate with the access_token endpoint. Refer to Use Basic Authorization for more information.

  • Secret Keeping Clients: If you have a client secret, your username is your client_id, and the password is your client secret.

  • Non-secret Keeping Clients: If your app doesn’t have a client secret, you’ll need to generate a random string and save it securely on the user's device.

    Important: You must use the same device secret to refresh your bearer token using a refresh token.

Body Parameters

When you make a POST request for a bearer token, you must include the following form-urlencoded parameters:

Parameter Example Description
grant_type authorization_code Required. Use authorization_code (the literal string)
code xxYxyxXxy9XX9XXy Required. The authorization code you received in the Return URI.

Note: Authorization codes are valid only for a single-use.

Example Request

curl -X POST \ \
  -H 'Authorization: Basic ABCdEfG0ABCdMTU5OjFhM2M0ABC2NzgwZjU5ABChYjI4M2I2ABclYTkzM2Y3ZWQ0NTdmMjMwZTBl' \
  --data grant_type=authorization_code \
  --data code=xxYxyxXxy9XX9XXy

Response (duration=permanent)

If you used the duration=permanent parameter in your Authorization URL, you’ll receive an access_token and a refresh_token. Otherwise, you’ll only receive an access_token that expires in 30 minutes.

    "access_token": "AQAAAAQAAAAAAAVd4P////9Z3Sdf3C+GZhYgJzVwBLYfjo+n8LIAzj+JaAippILcmeX2e2o=",
    "token_type": "bearer",
    "expires_in": 1800,
    "scope": "identity items",
    "refresh_token": "6EnU6ZvGi5OoBcSpGs2V4PkcgfBgwr1V"

What's Next