Dwolla utilizes the OAuth 2 protocol to facilitate authorization. 

OAuth is an authorization framework that enables a third-party application to obtain access to protected resources in the Dwolla API. For more of an overview in obtaining an application access token, check out our developer documentation. 

If you are looking to build out your application with the Dwolla API, you will need to exchange your client_id and client_secret for an application access token.

The client credentials flow is the simplest OAuth 2 grant, with a server-to-server exchange of your application’s client_id, client_secret for an OAuth application access token. In order to execute this flow, your application will send a POST requests with the Authorization header that contains the word Basic followed by a space and a base64-encoded string client_id:client_secret.

Authorization: Basic Base64(client_id:client_secret)

HTTP request

Production: POST https://api.dwolla.com/token 

Sandbox: POST https://api-sandbox.dwolla.com/token 

Including the Content-Type: application/x-www-form-urlencoded header, the request is sent to the token endpoint with grant_type=client_credentials in the body of the request::

Example Request and Response in Sandbox

POST https://api-sandbox.dwolla.com/token
Authorization: Basic YkVEMGJMaEFhb0pDamplbmFPVjNwMDZSeE9Eb2pyOUNFUzN1dldXcXUyeE9RYk9GeUE6WEZ0bmJIbXR3dXEwNVI1Yk91WmVOWHlqcW9RelNSc21zUU5qelFOZUFZUlRIbmhHRGw=
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
{  "access_token": "SF8Vxx6H644lekdVKAAHFnqRCFy8WGqltzitpii6w2MVaZp1Nw",  "token_type": "bearer",  "expires_in": 3600}

Application tokens have a life of 60 minutes. Application tokens do not include a refresh_token, so when the token does expire, a new one will need to be generated using client.auth.client().

For more on this, refer to our SDK’s readme.

Typically we recommend persisting the access token to a shared storage and periodically refreshing. This periodic refresher would call out to the API every 45 minutes to an hour to obtain a fresh access token which will be stored and used for the next 45 minutes to an hour.

Did this answer your question?