Authorization Code

+----------+
|  User    |
| BTG      |
| Pactual  |
| Empresas |
|          |
+----------+
     ^
     |
    (B)
+----|-----+          Client Id              +---------------+
|          +----(A)-- & Redirect URI ------->|               |
| Browser  |                                 |     BTG Id    |
|          +----(B)-- User authenticates --->|               |
|          |                                 |               |
|          +----(C)-- Authorization Code ---<|               |
+-|----|---+                                 +---------------+
  ^    |                                         ^      v
 (A)  (C)                                        |      |
  |    |                                         |      |
  |    v                                         |      |
+---------+                                      |      |
|         |>---(D)-- Authorization Code ---------'      |
|  App    |          & Redirection URI                  |
|         |                                             |
|         |<---(E)----- Access Token -------------------'
+---------+       (w/ Optional Refresh Token)

Authorization Request

GET /oauth2/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&scope={scope} HTTP/1.1
Host: id.btgpactual.com

Authorization Response

HTTP/1.1 302 Found
Location: {redirect_uri}?code={authorization_code}&iss=https%3A%2F%2Fid.btgpactual.com

Token Request

POST /oauth2/token HTTP/1.1
Host: id.btgpactual.com
Content-type: application/x-www-form-urlencoded
Authorization: Basic <client_id:client_secret> // Base 64 encoded

code={authorization_code}&redirect_uri={redirect_uri}&grant_type=authorization_code

Token Response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6InZfT2NvN21uRjBwbERCTU9FTUxlRjFhc01jR3hERURxVVhXdktHWUtWOFkifQ.eyJzdWIiOiIwMDUwNjQ5MzI5NiIsInNjb3BlIjoiYXBwcyBlbWFpbCBvcGVuaWQgcHJvZmlsZSB3ZWJob29rcyIsImlzcyI6Imh0dHBzOi8vaWQuYnRnbWFpc2J1c2luZXNzLmNvbSIsImV4cCI6MTYyODc0MDQxMSwiaWF0IjoxNjI4NjU0MDExLCJjbGllbnRfaWQiOiJkZXZlbG9wZXJzLmRldnBvcnRhbCIsImp0aSI6IjNsX0JKVldZTHhmSnh6ckFhb1lDTjZCVVU5Wks5S3hkb3ZiY0xZNTNNdUEifQ.Vp8CxDXaP9TST5NGpygyqf85cHg5reiT8HtW1WbcPFYshOUaVtiExbUDR_ZSyV-doeUlGNyRq_FSL_bf5HFlOQF6QAtX9i9pYBQGUZGptW8S3a9WjDsMeOluk1BHimuPFOp8jK6vHazfqzHuki-3w4_nJTx_qKK77Wx7FC3XqojE2oXpkN6VnezLTXW5V-tQEVqNCF9Fp_pOS-UtBWwO6UUHRBYXc4JtB0IbxIOS38r1gGiKgaePb7s6Z66ZD4zjc5A_xZeLmBzrdSxLXrcJp7au5gx6Y9tgw3hDFSA9AGZlI35fIAGhU7_jD0DtpFXrQWLbN5lF5663NWvyhbYlwg",
  "refresh_token":"WV6G4HKBrvgiLoFdMBiVxeCHWvqIOr1ASkMcYmX-EI8",
  "scope":"apps email openid profile webhooks",
  "id_token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIwMDUwNjQ5MzI5NiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdXRoX3RpbWUiOjE2Mjg2NTM5ODUsImN1c3RvbTpvcmlnaW4iOiJhZG1pbiIsImVtYWlsIjoiZW1lcnNvbi5zb2FyZXNAYnRncGFjdHVhbC5jb20iLCJpc3MiOiJodHRwczovL2lkLmJ0Z21haXNidXNpbmVzcy5jb20iLCJhdWQiOlsiZGV2ZWxvcGVycy5kZXZwb3J0YWwiXSwiZXhwIjoxNjI4NzQwNDExLCJpYXQiOjE2Mjg2NTQwMTEsInNfaGFzaCI6IlVhQkdKSEV2d24tOHl3OXZabW45ZmcifQ.Urg9j5s9BckHVTqsJGJASc1FlcJoHgllDNdc5WJY3EQ",
  "token_type":"Bearer",
  "expires_in":86400
}

Did this page help you?