Mastercard FDX Authorization API
Dynamic Client Registration, Token, Introspection, Authorize API.
OpenAPI Specification
openapi: 3.0.3
info:
title: Mastercard Developer Hub for FDX APIs FDX Authorization Server
version: 1.0.0
description: Dynamic Client Registration, Token, Introspection, Authorize API
contact:
name: API Support
email: [email protected]
url: 'https://developer.mastercard.com/support'
servers:
- url: 'http://localhost:8080'
description: Localhost URL
paths:
/fdx/v6/register:
post:
tags:
- Dynamic Client Registration
summary: Mastercard Developer Hub for FDX APIs Client Registration Request
description: Request to Register Client
operationId: registerClient
requestBody:
$ref: '#/components/requestBodies/RegisterClientRequest'
responses:
'200':
$ref: '#/components/responses/RegisterClient'
security:
- {}
/oauth2/token:
post:
tags:
- Resource Token
summary: Mastercard Developer Hub for FDX APIs Get Token
description: Get Token as per grant_type
operationId: getToken
requestBody:
$ref: '#/components/requestBodies/CreateTokenRequest'
responses:
'200':
$ref: '#/components/responses/CreateToken'
security:
- {}
/fdx/v6/register/{clientId}:
get:
tags:
- Dynamic Client Registration
summary: Mastercard Developer Hub for FDX APIs Get Client
description: Get a specific client data identified with clientId
operationId: getClient
parameters:
- $ref: '#/components/parameters/clientId'
responses:
'200':
$ref: '#/components/responses/GetClient'
security:
- bearerAuth: []
put:
tags:
- Dynamic Client Registration
summary: Mastercard Developer Hub for FDX APIs Update Client
description: Update data for a specific client identified with clientId
operationId: modifyClient
parameters:
- $ref: '#/components/parameters/clientId'
requestBody:
$ref: '#/components/requestBodies/ModifyClientRequest'
responses:
'200':
$ref: '#/components/responses/ModifyClient'
security:
- bearerAuth: []
delete:
tags:
- Dynamic Client Registration
summary: Mastercard Developer Hub for FDX APIs Delete Client
description: Delete data for a specific client identified with clientId
operationId: deleteClient
parameters:
- $ref: '#/components/parameters/clientId'
responses:
'204':
description: 'No Content'
content:
application/json:
examples:
Delete successful:
value: {}
security:
- bearerAuth: []
/oauth2/par:
post:
tags:
- PAR+RAR Authorize
summary: Mastercard Developer Hub for FDX APIs Submit an Authorization Request
description: Clients can submit their authorization requests to this endpoint to receive a request URI for user redirection.
operationId: authorizeViaParRar
requestBody:
$ref: '#/components/requestBodies/PARRequestBody'
responses:
'200':
$ref: '#/components/responses/PAR'
security:
- {}
/oauth2/authorize:
get:
tags:
- Non PAR Authorize
summary: Mastercard Developer Hub for FDX APIs User Authorization Endpoint
description: This endpoint allows users to authorize a client application to access their resources. It returns an authorization code or token based on the grant type and flow. (Don't hit copy the url from curl)
operationId: parAuthorizeDonTHitCopyTheUrlFromCurl
parameters:
- $ref: '#/components/parameters/clientIdQuery'
- $ref: '#/components/parameters/ResponseType'
- $ref: '#/components/parameters/CodeChallenge'
- $ref: '#/components/parameters/CodeChallengeMethod'
- $ref: '#/components/parameters/RequestUri'
- $ref: '#/components/parameters/Scope'
- $ref: '#/components/parameters/RedirectUri'
- $ref: '#/components/parameters/RequestJWT'
- $ref: '#/components/parameters/State'
responses:
'200':
$ref: '#/components/responses/AuthorizeURL'
/oauth2/introspect:
post:
tags:
- Token Introspection
summary: Mastercard Developer Hub for FDX APIs Token Introspection Endpoint
description: This endpoint allows clients to validate an access token and retrieve its metadata, such as its validity, scopes, and associated user details.
operationId: introspectionToken
requestBody:
$ref: '#/components/requestBodies/IntrospectRequestBody'
responses:
'200':
$ref: '#/components/responses/Introspect'
security:
- {}
components:
schemas:
Client:
type: object
properties:
client_id:
$ref: '#/components/schemas/client_id'
client_id_issued_at:
$ref: '#/components/schemas/client_id_issued_at'
client_name:
$ref: '#/components/schemas/client_name'
redirect_uris:
$ref: '#/components/schemas/redirect_uris'
grant_types:
$ref: '#/components/schemas/grant_types'
response_types:
$ref: '#/components/schemas/response_types'
scope:
$ref: '#/components/schemas/scope'
token_endpoint_auth_method:
$ref: '#/components/schemas/token_endpoint_auth_method'
id_token_signed_response_alg:
$ref: '#/components/schemas/id_token_signed_response_alg'
registration_client_uri:
$ref: '#/components/schemas/registration_client_uri'
jwks_uri:
$ref: '#/components/schemas/jwks_uri'
token_endpoint_auth_signing_alg:
$ref: '#/components/schemas/token_endpoint_auth_signing_alg'
CreateClient:
type: object
properties:
client_id:
$ref: '#/components/schemas/client_id'
client_id_issued_at:
$ref: '#/components/schemas/client_id_issued_at'
client_name:
$ref: '#/components/schemas/client_name'
redirect_uris:
$ref: '#/components/schemas/redirect_uris'
grant_types:
$ref: '#/components/schemas/grant_types'
response_types:
$ref: '#/components/schemas/response_types'
scope:
$ref: '#/components/schemas/scope'
token_endpoint_auth_method:
$ref: '#/components/schemas/token_endpoint_auth_method'
id_token_signed_response_alg:
$ref: '#/components/schemas/id_token_signed_response_alg'
registration_client_uri:
$ref: '#/components/schemas/registration_client_uri'
jwks_uri:
$ref: '#/components/schemas/jwks_uri'
token_endpoint_auth_signing_alg:
$ref: '#/components/schemas/token_endpoint_auth_signing_alg'
registration_access_token:
$ref: '#/components/schemas/registration_access_token'
Token:
type: object
properties:
access_token:
type: string
description: The access token string as issued by the authorization server.
example: 'Oki4J36pUhrrQvdLOy8_IqXSdELszmp2VbZ0bNJqAoLSFXIn633SjltVgxQoTZ84bWXnom66AkRFdtVr8HOqi3yaYxCZ-6niRNe00ygCF_o0Ky6upoZWJ'
scope:
type: string
description: The scopes contained in the access token.
example: client.read
token_type:
type: string
description: The type of token.
example: refresh_token
expires_in:
type: number
description: The expiration time of the access token in seconds.
example: 3600
Par:
type: object
properties:
expires_in:
type: number
description: The expiration time of the request_uri in seconds.
example: 3600
request_uri:
type: string
example: urn:ietf:params:oauth2:eb6b74fb-2249-499a-9889-3e1c485e687b
description: The request URI corresponding to the authorization request posted. This URI is a single-use reference to the respective request data in the subsequent authorization request.
TokenIntrospection:
type: object
properties:
active:
type: boolean
description: Indicates whether the token is active or not.
example: true
sub:
type: string
description: The subject of the token.
example: fdxuser
aud:
type: array
items:
type: string
description: The audience of the token.
example:
- "dh-fdx-client-registrar-2"
nbf:
type: number
description: Identifies the time (a timestamp in seconds) before which the token must not be accepted for processing.
example: 1722333643
scope:
type: string
description: A space-delimited list of scopes.
example: fdx:transactions:read
iss:
type: string
description: The issuer of the token.
example: 'http://localhost:8080'
exp:
type: number
description: The expiration time of the token in seconds
example: 1722333943
iat:
type: number
description: The issuing time of the token in seconds
example: 1722333643
jti:
type: string
description: The identifier of the token.
example: 10c56f8c-956c-4830-99f1-c66080c589d2
client_id:
type: string
description: The ID of the client associated with the token.
example: dh-fdx-client-registrar-2
token_type:
type: string
description: The type of token.
example: Bearer
client_id:
type: string
example: 'dh-fdx-client-registrar-2'
description: OAuth 2.0 client identifier. Unique ID representing Data Recipient and Identity Chain combination
client_id_issued_at:
type: number
description: Time at which the client_id was issued (measured in unix seconds)
redirect_uris:
type: array
description: Array of redirection URI strings for use in redirect-based flows
items:
type: string
example: 'https://oauth.pstmn.io/v1/browser-callback'
example:
- 'https://oauth.pstmn.io/v1/browser-callback'
client_name:
type: string
description: Human-readable string name of the client application
example: 11TestName1221
grant_types:
type: array
items:
type: string
example: client_credentials
example:
- client_credentials
- authorization_code
- refresh_token
description: Array of OAuth 2.0 grants made available to the Data Recipient
response_types:
type: array
items:
type: string
example: code
example:
- code
description: Array of OAuth 2.0 response type strings. Default value is code
token_endpoint_auth_method:
type: string
description: Requested authentication method for the token endpoint.
example: private_key_jwt
id_token_signed_response_alg:
type: string
example: PS256
description: Algorithm with which an id_token is to be signed
jwks_uri:
type: string
example: https://www.jsonkeeper.com/b/3FJT
description: URL string referencing the client's JSON Web Key (JWK) Set [RFC7517] document, which contains the client's public keys
token_endpoint_auth_signing_alg:
type: string
example: PS256
description: The algorithm used for signing the JWT
registration_client_uri:
type: string
description: Fully qualified URI for subsequent DCR calls (GET, PUT, DELETE) for managing the Data Recipient registration
registration_access_token:
type: string
description: String containing a unique DCR access token to be used in subsequent operations to manage the Data Recipient
scope:
type: string
description: String containing a space-separated list of scope values that the client can use when requesting access tokens.
example: >-
client.create client.read fdx:transactions:read
fdx:accountbasic:read openid fdx:customerpersonal:read
fdx:accountdetailed:read fdx:investments:read
fdx:paymentsupport:read fdx:accountpayments:read
fdx:bills:read fdx:images:read fdx:rewards:read fdx:tax:read
fdx:statements:read fdx:customercontact:read
id_token_encrypted_response_alg:
type: string
example: RSA-OAEP
description: JWE alg algorithm with which an id_token is to be encrypted.
id_token_encrypted_response_enc:
type: string
example: A256GCM
description: JWE enc algorithm with which an id_token is to be encrypted.
request_object_signing_alg:
type: string
example: PS256
description: Algorithm which the client expects to sign the request object if a request object will be part of the authorization request sent to the Data Holder
grant_type:
type: string
example: refresh_token OR client_credentials OR authorization_code
description: The grant type(s) supported by the Authorisation Server.
securitySchemes:
bearerAuth:
type: http
scheme: bearer
parameters:
clientId:
name: clientId
example: 'dh-fdx-client-registrar-2'
description: Client Identifier. Uniquely identifies a Client
in: path
required: true
schema:
type: string
clientIdQuery:
name: client_id
in: query
schema:
type: string
example: 'dh fdx client registrar 2'
description: The client identifier issued to the client during the registration process.
ResponseType:
name: response_type
in: query
schema:
type: string
example: 'code'
description: The type of response requested. `code` for an authorization code or `token` for an implicit token.
CodeChallenge:
name: code_challenge
in: query
schema:
type: string
example: 'nZYZ UOfWV7Nkkll19ALM6mrcC7eXVWUMPYpQQ'
description: A code challenge used in the PKCE (Proof Key for Code Exchange) flow, if applicable.
CodeChallengeMethod:
name: code_challenge_method
in: query
schema:
type: string
example: S256
description: The method used to generate the code challenge (e.g., `plain` or `S256`).
RequestUri:
name: request_uri
in: query
schema:
type: string
example: 'urn:ietf:params:oauth2:61fa4c96 3f76 422e 83b4 00e4bad98549'
description: The URI generated from PAR endpoint.
Scope:
name: scope
in: query
schema:
type: string
example: 'fdx:transactions:read%20fdx:accountbasic:read%20openid%20fdx:customerpersonal:read%20fdx:accountdetailed:read%20fdx:investments:read%20fdx:paymentsupport:read%20fdx:accountpayments:read%20fdx:bills:read%20fdx:images:read%20fdx:rewards:read%20fdx:tax:read%20fdx:statements:read%20fdx:customercontact:read'
description: The scope of access requested by the client. For example, `read` or `write`.
RedirectUri:
name: redirect_uri
in: query
schema:
type: string
example: 'https://oauth.pstmn.io/v1/browser callback'
description: The URI to which the authorization server will redirect the user after granting or denying access.
RequestJWT:
name: request
in: query
schema:
type: string
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
description: JWT request object for non par flow
State:
name: state
in: query
schema:
type: string
example: 'state'
description: A client generated value used to maintain state between the request and callback to prevent CSRF attacks.
requestBodies:
CreateTokenRequest:
required: true
content:
application/json:
schema:
type: object
properties:
client_assertion:
type: string
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
description: The encoded assertion JWT.
client_assertion_type:
type: string
example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
description: This MUST be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id:
$ref: '#/components/schemas/client_id'
scope:
$ref: '#/components/schemas/scope'
grant_type:
$ref: '#/components/schemas/grant_type'
redirect_uri:
type: string
example: 'https://oauth.pstmn.io/v1/browser-callback'
description: Callback location where the authorization code should be sent.
code:
type: string
example: LvK-fwhBtMxV0fZRDIVnoRZWLx5Ln5QqsON3U6qPCubky9iCLitSTfgNlGayxG7UY2QZyKxGsvO6rvlQnHR155f50Tp6RkWGBC3pBY97IF3_aEmLf3Tc2BdGaABvx1s0
description: Required only when exhanging code with access token
refresh_token:
type: string
example: 'Oki4J36pUhrrQvdLOy8_IqXSdELszmp2VbZ0bNJqAoLSFXIn633SjltVgxQoTZ84bWXnom66AkRFdtVr8HOqi3yaYxCZ-6CwtdpaniRNe00ygCF_o91WOW0Ky6upoZWJ'
description: Required only when refreshing access token.
examples:
Get Client Registration Token:
value:
client_assertion: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id: 'dh-fdx-client-registrar-2'
grant_type: client_credentials
scope: client.read
Get Access Token:
value:
client_assertion: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id: 'dh-fdx-client-registrar-2'
code: >-
LvK-fwhBtMxV0fZRDIVnoRZWLx5Ln5QqsON3U6qPCubky9iCLitSTfgNlGayxG7UY2QZyKxGsvO6rvlQnHR155f50Tp6RkWGBC3pBY97IF3_aEmLf3Tc2BdGaABvx1s0
code_verifier: 'fa5893f9c13a82375f4c4cbd982b1112b55242c40bab9'
grant_type: authorization_code
redirect_uri: 'https://oauth.pstmn.io/v1/browser-callback'
Get Refresh Token:
value:
client_assertion: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id: 'dh-fdx-client-registrar-2'
grant_type: refresh_token
redirect_uri: 'https://oauth.pstmn.io/v1/browser-callback'
refresh_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
ModifyClientRequest:
required: true
content:
application/json:
schema:
type: object
properties:
client_name:
$ref: '#/components/schemas/client_name'
grant_types:
$ref: '#/components/schemas/grant_types'
id_token_encrypted_response_alg:
$ref: '#/components/schemas/id_token_encrypted_response_alg'
id_token_encrypted_response_enc:
$ref: '#/components/schemas/id_token_encrypted_response_enc'
id_token_signed_response_alg:
$ref: '#/components/schemas/id_token_signed_response_alg'
jwks_uri:
$ref: '#/components/schemas/jwks_uri'
redirect_uris:
$ref: '#/components/schemas/redirect_uris'
request_object_signing_alg:
$ref: '#/components/schemas/request_object_signing_alg'
response_types:
$ref: '#/components/schemas/response_types'
scope:
$ref: '#/components/schemas/scope'
token_endpoint_auth_method:
$ref: '#/components/schemas/token_endpoint_auth_method'
token_endpoint_auth_signing_alg:
$ref: '#/components/schemas/token_endpoint_auth_signing_alg'
examples:
Modify Client:
value:
client_name: 11TestName12211112
grant_types:
- client_credentials
- authorization_code
- refresh_token
id_token_encrypted_response_alg: RSA-OAEP
id_token_encrypted_response_enc: A256GCM
id_token_signed_response_alg: PS256
jwks_uri: https://www.jsonkeeper.com/b/3FJT
redirect_uris:
- https://oauth.pstmn.io/v1/browser-callback
request_object_signing_alg: PS256
response_types:
- code
scope: client.create client.read
token_endpoint_auth_method: private_key_jwt
token_endpoint_auth_signing_alg: PS256
RegisterClientRequest:
required: true
content:
application/json:
schema:
type: object
properties:
client_name:
$ref: '#/components/schemas/client_name'
grant_types:
$ref: '#/components/schemas/grant_types'
id_token_encrypted_response_alg:
$ref: '#/components/schemas/id_token_encrypted_response_alg'
id_token_encrypted_response_enc:
$ref: '#/components/schemas/id_token_encrypted_response_enc'
id_token_signed_response_alg:
$ref: '#/components/schemas/id_token_signed_response_alg'
jwks_uri:
$ref: '#/components/schemas/jwks_uri'
redirect_uris:
$ref: '#/components/schemas/redirect_uris'
request_object_signing_alg:
$ref: '#/components/schemas/request_object_signing_alg'
response_types:
$ref: '#/components/schemas/response_types'
scope:
$ref: '#/components/schemas/scope'
token_endpoint_auth_method:
$ref: '#/components/schemas/token_endpoint_auth_method'
token_endpoint_auth_signing_alg:
$ref: '#/components/schemas/token_endpoint_auth_signing_alg'
examples:
Register Client:
value:
client_name: 11TestName1221
grant_types:
- client_credentials
- authorization_code
- refresh_token
id_token_encrypted_response_alg: RSA-OAEP
id_token_encrypted_response_enc: A256GCM
id_token_signed_response_alg: PS256
jwks_uri: https://www.jsonkeeper.com/b/3FJT
redirect_uris:
- 'https://oauth.pstmn.io/v1/browser-callback'
request_object_signing_alg: PS256
response_types:
- code
scope: >-
client.create client.read fdx:transactions:read
fdx:accountbasic:read openid fdx:customerpersonal:read
fdx:accountdetailed:read fdx:investments:read
fdx:paymentsupport:read fdx:accountpayments:read
fdx:bills:read fdx:images:read fdx:rewards:read fdx:tax:read
fdx:statements:read fdx:customercontact:read
token_endpoint_auth_method: private_key_jwt
token_endpoint_auth_signing_alg: PS256
PARRequestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
authorization_details:
type: string
description: JSON-formatted object with two members in compliance with the RAR format specified by RAR memo, refer FDX spec
example: >-
[{"type":"fdx_v1.0","consentRequest":{"durationType":"ONE_TIME","lookbackPeriod":60,"resources":[{"resourceType":"ACCOUNT","dataClusters":["ACCOUNT_DETAILED","TRANSACTIONS","STATEMENTS"]}]}}]
client_assertion:
type: string
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
description: The encoded assertion JWT.
client_assertion_type:
type: string
example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
description: This MUST be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id:
$ref: '#/components/schemas/client_id'
grant_type:
$ref: '#/components/schemas/grant_type'
request:
type: string
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
description: The encoded assertion JWT.
response_type:
type: string
example: 'code'
description: Supported response type
examples:
Authorize (via PAR+RAR):
value:
authorization_details: >-
[{"type":"fdx_v1.0","consentRequest":{"durationType":"ONE_TIME","lookbackPeriod":60,"resources":[{"resourceType":"ACCOUNT","dataClusters":["ACCOUNT_DETAILED","TRANSACTIONS","STATEMENTS"]}]}}]
client_assertion: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id: 'dh-fdx-client-registrar-2'
grant_type: client_credentials
request: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
response_type: 'code'
IntrospectRequestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
client_assertion:
type: string
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
description: The encoded assertion JWT.
client_assertion_type:
type: string
example: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
description: This MUST be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id:
$ref: '#/components/schemas/client_id'
token:
type: string
example: 'Oki4J36pUhrrQvdLOy8_IqXSdELszmp2VbZ0bNJqAoLSFXIn633SjltVgxQoTZ84bWXnom66AkRFdtVr8HOqi3yaYxCZ-6niRNe00ygCF_o0Ky6upoZWJ'
description: Token to be introspected
token_type_hint:
type: string
example: refresh_token
description: Indicates the type of token being passed. Valid values are access_token, id_token, refresh_token, and device_secret.
examples:
Introspection - AccessToken:
value:
client_assertion: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id: 'dh-fdx-client-registrar-2'
token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
token_type_hint: access_token
Introspection - RefreshToken:
value:
client_assertion: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_id: 'dh-fdx-client-registrar-2'
token: 'Oki4J36pUhrrQvdLOy8_IqXSdELszmp2VbZ0bNJqAoLSFXIn633SjltVgxQoTZ84bWXnom66AkRFdtVr8HOqi3yaYxCZ-6niRNe00ygCF_o0Ky6upoZWJ'
token_type_hint: refresh_token
responses:
CreateToken:
description: The access token was successfully created
content:
application/json:
schema:
$ref: '#/components/schemas/Token'
examples:
Successful Token Response:
value:
access_token: 'eyJraWQiOiI5OWJjMzNlZS1hMDRkODktOGFlMC01ZGViZDIxNDVhYWIiLCJ0eXAiOiJhdCtqd3QiLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiZW50LXJlZ2lzdHJhci0yIiwiYXVkIjoiZGgtZmR4LWNsaWVudC1yZWdpc3RyYXItMiIc2NvcGUiOlsiY2xpZW50LnJlYWQiXSwiaXNzIjoiaHR0cHM6Ly9mZHgtbW9jay1hdXRob3JpemF0aW9uLXNlcnZlci5kZXYuZmluaS5jaXR5IiwiZXhwIjoxNzIwNjExNjAyLCJpYXQiOjE3MjA2MTEzMDIsImp0aSI6ImQ2NzcxZjU1LTU2YzAtNDU0Yi04ZjY3LWZmODUzYjdkZTZiMCJ9.lyANAqFMYkcTOtv0G6v1y83LniEQPvZVrzr9d2DbPB3Uqk-0yB8CoM-Z8REOfL0dMVtxRLAyrUKLCNVXcMHljaliXoOfy6J3-VfJoLYZkV9IjL5uVhfkOITnfWYPf9wyFmnIBJEpY57qAsZhyLpe7x_uw9Jcjb9w2zV1qnyFEcn-VPHJb0Wg2FIC5bSB1RoptWRYt_X9Gaxm1bSBg5gSiJr2LKereB_P3pmvqrD3E5I-_GWt3Iw5q6vUqnu4P9EUT0Eri8Ez3Q3oJMn6xTiBd5DORe0w45zLdyqiIK4-qTiVAGGmPfb4fGZzU-Pa0abE2jVt03hITzwUtBvWgMi4Cw'
scope: 'client.read'
token_type: 'Bearer'
expires_in: 299
RegisterClient:
description: Successful register response
content:
application/json:
schema:
$ref: '#/components/schemas/CreateClient'
examples:
Successful Registration:
value:
client_id: CHzOG1x6_fKjBHhh9eegZ45BQorbqtIe9eWJEhLsrig
client_id_issued_at: 1719554524
client_name: 11TestName1221
redirect_uris:
- 'https://oauth.pstmn.io/v1/browser-callback'
grant_types:
- refresh_token
- client_credentials
- authorization_code
response_types:
- code
scope: >-
fdx:transactions:read fdx:accountbasic:read openid client.create
fdx:customerpersonal:read fdx:accountdetailed:read client.read
fdx:investments:read fdx:paymentsupport:read fdx:accountpayments:read
fdx:bills:read fdx:images:read fdx:rewards:read fdx:tax:read
fdx:statements:read fdx:customercontact:read
token_endpoint_auth_method: private_key_jwt
id_token_signed_response_alg: RS256
registration_client_uri: >-
http://localhost:8080/client/register?client_id=CHzOG1x6_fKjBHhh9eegZ45BQorbqtIe9eWJEhLsrig
jwks_uri: 'https://www.jsonkeeper.com/b/3FJT'
registration_access_token: >-
eyJraWQiOiI5OWJjMzNlZS1hMDRkLTRhODktOGFlMC01ZGViZDIxNDVhYWIiLCJ0eXAiOiJhdCtqd3QiLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOi
# --- truncated at 32 KB (37 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/mastercard-fdx/refs/heads/main/openapi/fdx-authorization-api-openapi.yaml