Dwolla utilizes the OAuth 2 protocol to facilitate authorization. 

OAuth is an authorization framework that enables a third-party application to obtain access to protected resources in the Dwolla API. For more of an overview in obtaining an application access token, check out our developer documentation. 

If you are looking to build out your application with the Dwolla API, you will need to exchange your client_id and client_secret for an application access token.

HTTP request

Production: POST https://www.dwolla.com/oauth/v2/token

Sandbox: POST https://sandbox.dwolla.com/oauth/v2/token

Including the Content-Type: application/x-www-form-urlencoded header, the request is sent to the token endpoint with the following form-encoded parameters:

Example Request and Response in Sandbox

POST https://sandbox.dwolla.com/oauth/v2/token
Content-Type: application/x-www-form-urlencoded
{  "access_token": "SF8Vxx6H644lekdVKAAHFnqRCFy8WGqltzitpii6w2MVaZp1Nw",  "token_type": "bearer",  "expires_in": 3600}

Application tokens have a life of 60 minutes. Application tokens do not include a refresh_token, so when the token does expire, a new one will need to be generated using client.auth.client().

For more on this, refer to our SDK’s readme.

Typically we recommend persisting the access token to a shared storage and periodically refreshing. This periodic refresher would call out to the API every 45 minutes to an hour to obtain a fresh access token which will be stored and used for the next 45 minutes to an hour.

Did this answer your question?