Create and refresh token - OAuth - Mercado Pago Developers
Create and refresh token

POST

/oauth/token
To create or refresh the necessary token to operate your application in the name of a seller.
Request's parameters
client_id

REQUIRED

string
Localization: bodyUnique ID that identifies your application/integration. One of the keys in the pair that make up the credentials that identify an application/integration in your account.
client_secret

REQUIRED

string
Localization: bodyPrivate key to be used in some plugins to generate payments. One of the keys in the pair that make up the credentials that identify an application/integration in your account.
code
string
Localization: bodyCode provided by the authentication server so that the application can obtain an access token and an associated refresh token. It is valid for 10 minutes counted from its generation. Required when grant_type=authorization_code.
grant_type

REQUIRED

string
Localization: bodySpecifies the type of operation to perform. There are two possible operations.
authorization_code: used to get the access token for the first time.
refresh_token: it is used to refresh an existing token.
Response parameters
access_token
string
Localization: bodySecurity code that identifies the user, their privileges and an application used in different requests from public sources to access protected resources. Its validity is determined by the expires_in parameter and is similar to APP_USR-1585551492-030918-25######3458-2880736, which is composed of
Access token type: APP_USR (application on behalf of a user), TEST (test, only valid in sandbox)
Client ID: 1585551492
Creation date (MMddHH): 030918
Security hash: 25######3458
User ID: 2880736
token_type
string
Localization: bodynecessary information for the token to be used correctly to access protected resources. The token of type "bearer" is the only one supported by the authorization server and is used when the access token is included as plain text in the request. It is understood that the bearer has direct access to the token.
expires_in
number
Localization: bodyFixed access_token expiration time expressed in seconds. By default, the expiration time is 180 days (15552000 seconds).
scope
string
Localization: bodyScopes are used in the API authorization and consent process and allow you to determine what access the application requests and what access the user grants. By default, the scopes associated with the token are the ones determined when creating the original token and configuring the application.
Request
curl
curl -X POST \
    'https://api.mercadopago.com/oauth/token' \
    -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
    -H 'Content-Type: application/json' \
    -d '{
  "client_secret": "client_secret",
  "client_id": "client_id",
  "grant_type": "authorization_code",
  "code": "TG-XXXXXXXX-241983636"
}'
Answer
json
{
  "access_token": "APP_USR-4934588586838432-XXXXXXXX-241983636",
  "token_type": "bearer",
  "expires_in": 15552000,
  "scope": "offline_access read write",
  "user_id": 241983636,
  "refresh_token": "TG-XXXXXXXX-241983636",
  "public_key": "APP_USR-d0a26210-XXXXXXXX-479f0400869e",
  "live_mode": true
}
Errors
400bad_request
invalid_client The provided client_id and/or client_secret of your app is invalid.
invalid_grant There are several reasons for this error, it could be because the authorization_code or refresh_token is invalid, expired or revoked, was sent in an incorrect flow, belongs to another client, or the redirect_uri used in the authorization flow does not match what your application has configured.
invalid_scope The requested scope is invalid, unknown, or wrongly formed. The allowed values for the scope parameter are “offline_access”, ”write”, ”read”.
invalid_request The request does not include a required parameter, includes an unsupported parameter or parameter value, has a duplicated value, or is otherwise malformed.
unsupported_grant_type Allowed values for grant_type are “authorization_code” or “refresh_token”.
forbidden The call does not authorize access, possibly another user's token is being used.
unauthorized_client The application does not have a grant with the user or the permissions (scopes) that the application has with this user do not allow creating a token.