Tink OAuth API
OAuth 2.0 client-credentials, refresh, and delegated authorization-grant endpoints that gate every Tink API. Includes permanent user creation and Tink Link session delegation.
OpenAPI Specification
openapi: 3.1.0
info:
title: Tink OAuth and Authorization API
description: >
OAuth 2.0 client-credentials, refresh, and delegated authorization-grant
endpoints that gate every Tink data, payments, and reporting API. Tink
issues client access tokens for server-to-server calls, user access tokens
on behalf of an end user, and short-lived authorization codes that the
Tink Link flow exchanges for user tokens. All other Tink APIs require a
Bearer token issued by this service.
version: '1.0'
contact:
name: Tink Developer Support
url: https://docs.tink.com/
license:
name: Tink Terms of Service
url: https://tink.com/terms-and-conditions/
servers:
- url: https://api.tink.com
description: Tink EU Production
- url: https://api.us.tink.com
description: Tink US Production
security:
- BearerAuth: []
tags:
- name: OAuth
description: Token, authorization, and delegated grant endpoints.
- name: User
description: Permanent user lifecycle management.
paths:
/api/v1/oauth/token:
post:
summary: Tink Create An OAuth Token
description: >
Issue an OAuth 2.0 access token. Supports `client_credentials` for
server-side calls, `authorization_code` to exchange a Tink Link or
delegated grant code for a user token, and `refresh_token` to renew
an existing user token without re-authentication.
operationId: createOauthToken
tags:
- OAuth
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/TokenRequest'
responses:
'200':
description: Access token issued.
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
/api/v1/oauth/authorization-grant:
post:
summary: Tink Create An Authorization Grant
description: >
Mint a one-time authorization code for an existing permanent user.
The returned `code` is exchanged at `/api/v1/oauth/token` with
`grant_type=authorization_code` to obtain a user access token scoped
to the requested data products.
operationId: createAuthorizationGrant
tags:
- OAuth
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/AuthorizationGrantRequest'
responses:
'200':
description: Authorization code issued.
content:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationGrantResponse'
'400':
$ref: '#/components/responses/BadRequest'
/api/v1/oauth/authorization-grant/delegate:
post:
summary: Tink Create A Delegated Authorization Grant
description: >
Mint a delegated authorization code for a user who has not yet
connected a bank, returning a Tink Link URL the customer can launch
to authenticate with their bank and consent to the requested scopes.
operationId: createDelegatedAuthorizationGrant
tags:
- OAuth
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/DelegatedAuthorizationGrantRequest'
responses:
'200':
description: Delegated authorization code issued.
content:
application/json:
schema:
$ref: '#/components/schemas/AuthorizationGrantResponse'
'400':
$ref: '#/components/responses/BadRequest'
/api/v1/user/create:
post:
summary: Tink Create A Permanent User
description: >
Create a permanent Tink user identified by `external_user_id` for
repeat data access. Required before delegating authorization for
continuous-access products such as Transactions, Balance Check, and
Account Check refreshes.
operationId: createUser
tags:
- User
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateUserRequest'
responses:
'200':
description: User created.
content:
application/json:
schema:
$ref: '#/components/schemas/UserResponse'
'400':
$ref: '#/components/responses/BadRequest'
/api/v1/user/delete:
post:
summary: Tink Delete A User
description: Permanently delete a Tink user and all associated credentials.
operationId: deleteUser
tags:
- User
responses:
'204':
description: User deleted.
'401':
$ref: '#/components/responses/Unauthorized'
components:
securitySchemes:
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
TokenRequest:
type: object
required:
- grant_type
properties:
grant_type:
type: string
enum: [client_credentials, authorization_code, refresh_token]
client_id:
type: string
client_secret:
type: string
code:
type: string
refresh_token:
type: string
scope:
type: string
TokenResponse:
type: object
properties:
access_token:
type: string
token_type:
type: string
example: bearer
expires_in:
type: integer
format: int32
refresh_token:
type: string
scope:
type: string
id_hint:
type: string
AuthorizationGrantRequest:
type: object
required:
- external_user_id
- scope
properties:
external_user_id:
type: string
scope:
type: string
id_hint:
type: string
DelegatedAuthorizationGrantRequest:
type: object
required:
- scope
properties:
external_user_id:
type: string
actor_client_id:
type: string
scope:
type: string
id_hint:
type: string
AuthorizationGrantResponse:
type: object
properties:
code:
type: string
CreateUserRequest:
type: object
required:
- external_user_id
- market
- locale
properties:
external_user_id:
type: string
market:
type: string
example: GB
locale:
type: string
example: en_US
retention_class:
type: string
enum: [PERMANENT, TEMPORARY]
UserResponse:
type: object
properties:
user_id:
type: string
external_user_id:
type: string
Error:
type: object
properties:
errorMessage:
type: string
errorCode:
type: string
responses:
BadRequest:
description: Invalid request.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
Unauthorized:
description: Missing or invalid bearer token.
content:
application/json:
schema:
$ref: '#/components/schemas/Error'