Built by the community
Navigation
Metrics
Program
Service DeskPricingPoliciesDocument RepositoryLive Ecosystem
Developer Docs
TPP — Open Finance StandardsLFI — Integration GuideAPI SpecsKnowledge BaseRelease Notes & Erratas
NewsGitHub
Security · OAuth 2.0 · Bearer tokens

Tokens 2 min read

In UAE Open Finance, your application uses two types of OAuth 2.0 bearer tokens to make API calls on behalf of a consenting customer.

01 At a glance

Two tokens, two lifetimes

TokenPurposeLifetime
Access tokenAuthorises individual API requests10 minutes
Refresh tokenObtains new access tokens without re-authorising the customerDuration of the consent
02 Access Tokens

Short-lived credentials presented on every API request

An access token is a short-lived credential that your application includes in the Authorization header of every protected API call:

HTTP requesthttp
GET /open-finance/v2.1/accounts HTTP/1.1
Authorization: Bearer <access_token>

Access tokens expire after 10 minutes. Once expired, any API call using that token will receive a 401 Unauthorized response. Your application must silently refresh the access token using the refresh token before retrying.

Token expiry handling

Check the expires_in field returned by the /token endpoint (value: 600 seconds). Track the issue time and proactively refresh before the window closes rather than waiting for a 401.

03 Refresh Tokens

Renewing access without re-authorising the customer

A refresh token allows your application to obtain a new access token without prompting the customer to re-authorise. It is issued alongside the access token during the authorisation code exchange.

The refresh token remains valid for the lifetime of the consent. Once the consent expires — determined by its ExpirationDateTime — the refresh token is also invalidated and the customer must re-authorise.

Consent lifetime

The ExpirationDateTime is set when the consent resource is created and returned in the consent response object. See the Consent API Guide for details on consent lifecycle and expiry.

To exchange a refresh token for a new access token, POST to the /token endpoint with grant_type=refresh_token and a freshly signed client assertion.

See the Token endpoint API Reference for the full request and response schema.

Section contents

Browse this section

The full set of pages covering tokens and client assertions in UAE Open Finance.

Page

Preparing Client Assertion

How to construct and sign the JWT used to authenticate your application at /par and /token.

Open
EndpointPOST/token

Create an Access Token

OpenAPI reference for the POST/token endpoint — authorization code exchange, refresh token grant, and the consent object returned in the response.

Open spec