OAuth 2.0 is an industry standard used to protect access to APIs. SWIFT OAuth Token API is used to issue tokens needed to access SWIFT API products.
Depending on the API product you are trying to access, you will be using one of the two types of OAuth:
- Password Grant Type
- JWT Bearer Grant Type
Password Grant Type (Live) URL:
JWT Bearer Grant Type (Live) URL:
JWT Bearer Grant Type (Pilot) URL:
Your application credentials are exchanged via the Basic Authentication Scheme in the authorization header. Your application credentials are the Consumer Key and Consumer Secret of the app you created. You can create an app by going to My Apps. Calculate the base-64 encoded value of
$consumer-key:$consumer-secret and use it in the authorization header with the keyword
Basic in front of it. For example:
ZGVtbzpwQDU1dzByZA==is the base64 encoded value of "demo:p@55w0rd"
Authorization: Basic ZGVtbzpwQDU1dzByZA==
Request Body (different for each OAuth Grant Type)
Determine the OAuth grant type by going to the reference page, you will find this information in the Authentication section of the OpenAPI specification of each API product.
Password Grant Type using SWIFT issued License ID & License Secret
|username||Use “License ID” for the API product in Live after subscribing. To try it out in Sandbox, use
|password||Use “License Secret” for the API product in Live after subscribing. To try it out in Sandbox, use
JWT Bearer Grant Type using SWIFT issued PKI Certificate
|scope||Name of the service, role and qualifiers, ie
|assertion||Use your SWIFT issued PKI certificate to create a Signed JWT (JSON Web Token) . To try it out in Sandbox, use demo.jks to generate this value|
Run the postman collection to see examples for both grant types and how to refresh and revoke tokens.
The access token returned from the
/token endpoint is used as the bearer token in each subsequent call to SWIFT APIs. The bearer token is exchanged via the Bearer Authentication Scheme in the authorization header. For example:
eqKaLgPGmrWyDTystA3HV233gyfkis the access token
Authorization: Bearer eqKaLgPGmrWyDTystA3HV233gyfk
Your application is responsible for securely managing the tokens generated for use both in storage and transit.
It is strongly recommended that your application dispose tokens that are no longer needed using
/revoke endpoint. SWIFT will invalidate the tokens from further use if you do. Once invalidated, they can no longer be used to access SWIFT APIs.