Tink

Tink OAuth API

OAuth 2.0 client-credentials, refresh, and delegated authorization-grant endpoints that gate every Tink API. Includes permanent user creation and Tink Link session delegation.

Tink OAuth API is one of 9 APIs that Tink publishes on the APIs.io network, described by a machine-readable OpenAPI specification.

This API exposes 1 machine-runnable capability that can be deployed as REST, MCP, or Agent Skill surfaces via Naftiko.

Tagged areas include OAuth, Authentication, and Users. The published artifact set on APIs.io includes API documentation, an OpenAPI specification, and 1 Naftiko capability spec.

GitHub OpenAPI

Documentation

📖
Documentation
https://docs.tink.com/api-reference/auth-api

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/tink-com/refs/heads/main/openapi/tink-oauth-api-openapi.yml

Other Resources

🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/tink-com/refs/heads/main/capabilities/oauth.yaml

OpenAPI Specification

tink-oauth-api-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Tink OAuth and Authorization API
  description: >
    OAuth 2.0 client-credentials, refresh, and delegated authorization-grant
    endpoints that gate every Tink data, payments, and reporting API. Tink
    issues client access tokens for server-to-server calls, user access tokens
    on behalf of an end user, and short-lived authorization codes that the
    Tink Link flow exchanges for user tokens. All other Tink APIs require a
    Bearer token issued by this service.
  version: '1.0'
  contact:
    name: Tink Developer Support
    url: https://docs.tink.com/
  license:
    name: Tink Terms of Service
    url: https://tink.com/terms-and-conditions/
servers:
  - url: https://api.tink.com
    description: Tink EU Production
  - url: https://api.us.tink.com
    description: Tink US Production
security:
  - BearerAuth: []
tags:
  - name: OAuth
    description: Token, authorization, and delegated grant endpoints.
  - name: User
    description: Permanent user lifecycle management.
paths:
  /api/v1/oauth/token:
    post:
      summary: Tink Create An OAuth Token
      description: >
        Issue an OAuth 2.0 access token. Supports `client_credentials` for
        server-side calls, `authorization_code` to exchange a Tink Link or
        delegated grant code for a user token, and `refresh_token` to renew
        an existing user token without re-authentication.
      operationId: createOauthToken
      tags:
        - OAuth
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenRequest'
      responses:
        '200':
          description: Access token issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /api/v1/oauth/authorization-grant:
    post:
      summary: Tink Create An Authorization Grant
      description: >
        Mint a one-time authorization code for an existing permanent user.
        The returned `code` is exchanged at `/api/v1/oauth/token` with
        `grant_type=authorization_code` to obtain a user access token scoped
        to the requested data products.
      operationId: createAuthorizationGrant
      tags:
        - OAuth
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/AuthorizationGrantRequest'
      responses:
        '200':
          description: Authorization code issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationGrantResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
  /api/v1/oauth/authorization-grant/delegate:
    post:
      summary: Tink Create A Delegated Authorization Grant
      description: >
        Mint a delegated authorization code for a user who has not yet
        connected a bank, returning a Tink Link URL the customer can launch
        to authenticate with their bank and consent to the requested scopes.
      operationId: createDelegatedAuthorizationGrant
      tags:
        - OAuth
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/DelegatedAuthorizationGrantRequest'
      responses:
        '200':
          description: Delegated authorization code issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationGrantResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
  /api/v1/user/create:
    post:
      summary: Tink Create A Permanent User
      description: >
        Create a permanent Tink user identified by `external_user_id` for
        repeat data access. Required before delegating authorization for
        continuous-access products such as Transactions, Balance Check, and
        Account Check refreshes.
      operationId: createUser
      tags:
        - User
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateUserRequest'
      responses:
        '200':
          description: User created.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UserResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
  /api/v1/user/delete:
    post:
      summary: Tink Delete A User
      description: Permanently delete a Tink user and all associated credentials.
      operationId: deleteUser
      tags:
        - User
      responses:
        '204':
          description: User deleted.
        '401':
          $ref: '#/components/responses/Unauthorized'
components:
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
  schemas:
    TokenRequest:
      type: object
      required:
        - grant_type
      properties:
        grant_type:
          type: string
          enum: [client_credentials, authorization_code, refresh_token]
        client_id:
          type: string
        client_secret:
          type: string
        code:
          type: string
        refresh_token:
          type: string
        scope:
          type: string
    TokenResponse:
      type: object
      properties:
        access_token:
          type: string
        token_type:
          type: string
          example: bearer
        expires_in:
          type: integer
          format: int32
        refresh_token:
          type: string
        scope:
          type: string
        id_hint:
          type: string
    AuthorizationGrantRequest:
      type: object
      required:
        - external_user_id
        - scope
      properties:
        external_user_id:
          type: string
        scope:
          type: string
        id_hint:
          type: string
    DelegatedAuthorizationGrantRequest:
      type: object
      required:
        - scope
      properties:
        external_user_id:
          type: string
        actor_client_id:
          type: string
        scope:
          type: string
        id_hint:
          type: string
    AuthorizationGrantResponse:
      type: object
      properties:
        code:
          type: string
    CreateUserRequest:
      type: object
      required:
        - external_user_id
        - market
        - locale
      properties:
        external_user_id:
          type: string
        market:
          type: string
          example: GB
        locale:
          type: string
          example: en_US
        retention_class:
          type: string
          enum: [PERMANENT, TEMPORARY]
    UserResponse:
      type: object
      properties:
        user_id:
          type: string
        external_user_id:
          type: string
    Error:
      type: object
      properties:
        errorMessage:
          type: string
        errorCode:
          type: string
  responses:
    BadRequest:
      description: Invalid request.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: Missing or invalid bearer token.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'