# 4. Get the access token In order to send requests to the API, you must first get your access token. ## Request You must provide the headers and parameters listed below. ### Certificates You must use a transport certificate and its private key in order to request an access token. - For Sandbox testing, you can use the `transport.pem` certificate file which you obtained in [Convert certificates](/docs/guides/build-banking-apps/get-started/prepare-sandbox-environment#convert-certificates), together with the private key generated in step [Generate a CSR](/docs/guides/build-banking-apps/get-started/prepare-sandbox-environment#generate-a-csr). - For Production, you must use a valid OBIE or eIDAS [transport certificate](/docs/guides/build-banking-apps/introduction-to-the-open-banking-api/global-customer-access-controls#certificate-types) from a regulated Certificate Authority (CA), and its corresponding private key. :::note Revolut Open Banking API servers use certificates issued by Open Banking Limited. You can find the root and issuing certificates [here](https://openbanking.atlassian.net/wiki/spaces/DZ/pages/23494678/Certificates+and+Software+Statements) if you need to add them to your truststore. ::: ### Headers - `Content-Type: application/x-www-form-urlencoded` ### Parameters - `grant_type`: Must be set to `client_credentials` to get the access token. - `scope`: Must be set to `accounts`. ### Example :::warning If you get certificate errors when using `curl` with Sandbox, it usually means your system [doesn't trust our certificate issuer](/docs/guides/build-banking-apps/get-started/get-access-token#certificates). The recommended approach is to add the certificate to your trusted store. As a quick workaround, you can use the `-k` (or `--insecure`) option to skip certificate checks. **Be aware this disables all SSL verification, which can hide issues like expired or mismatched certificates and leaves you vulnerable to man-in-the-middle attacks**. For these reasons, avoid using `-k` in production or as a permanent solution. ::: - ```shell [Production] curl --cert transport.pem --key private.key \ --location -X POST 'https://oba-auth.revolut.com/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials' \ -d 'scope=accounts' \ -d 'client_id=' ``` - ```shell [Sandbox] curl --cert transport.pem --key private.key \ --location -X POST 'https://sandbox-oba-auth.revolut.com/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials' \ -d 'scope=accounts' \ -d 'client_id=' ``` ## Response The response contains the following JSON object: ```json { "access_token":"", "token_type":"Bearer", "expires_in":2399 } ``` ## What's next Use this access token as the authentication bearer for all subsequent requests to the API, as described in the [Tutorials](../tutorials/get-account-and-transaction-information) section. Once your token expires, repeat the steps above to create a new token.