Below is a sample request with client_id and client_secret payload:

1. Client authenticates.

POST /auth/v2/accesstoken?grant_type=client_credentials HTTP/1.1
Host: sandbox.apis.op-palvelut.fi
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
 
client_id=*********&client_secret=*******

In the above request, client_id is your APP API KEY and client_secret is your APP API SECRET. The differences in naming stem from the OAuth 2.0 standard.

2. Authorization server generates and returns access token.

The response will contain the access token and associated data in JSON format, as per the sample below:

{
  "token_type" : "BearerToken",
  "access_token" : "Axqx362CnSmLABgzqcBasG0pxBj9",
  "scope" : "",
  "status" : "approved",
  "refresh_token" : "U71FUIsqADNqpaqhh4pNsqE2YYfPwbUV",
  "refresh_token_expires_in" : "1799",
  "refresh_token_issued_at" : "1521035756257",
  "expires_in" : "86399",
  "refresh_count" : "0"
}

3. Client calls protected resource using access token.

curl -v "https://sandbox.apis.op-palvelut.fi/loans/oneoffs/v1/creditterms" -H "Authorization: Bearer Axqx362CnSmLABgzqcBasG0pxBj9"