Authentication
Authentication
Each request in Business Integration Services must be authorized with an OAuth 2.0 Bearer access token issued for the client application.
For security reasons, the Client ID and Secret must be stored confidentially.
Get Access Token
Services use the OAuth 2.0 Client Credentials flow. To obtain an access token, the client must call the token endpoint:
https://test-api.tbcbank.ge/oauth/token
The client authenticates using HTTP Basic authentication - the authorization header must contain the Base64-encoded client_id:client_secret pair:
Authorization: Basic base64(client_id:client_secret)
The request body must be sent as application/x-www-form-urlencoded.
Content-Type: application/x-www-form-urlencoded
And with required body parameters:
| Parameter | Required | Description |
|---|---|---|
| grant_type | ✅ | OAuth 2.0 grant type. Must be client_credentials for machine-to-machine integrations where the client application acts on its own behalf, without a user context. |
| scope | ✅ | Space-separated list of OAuth 2.0 scopes being requested. Available scopes are shown in the table below |
When requesting an access token, the client must provide the relevant scope.
| Scope Name | Description |
|---|---|
| bab_accounts | Account information services: transaction history and account statements |
| bab_transfers | Services related to transfer initiation |
If the client needs to use both account information and transfer services, both scopes must be passed in the token request in space-separated format.
scope=bab_accounts bab_transfers
Token Response
| Field | Description |
|---|---|
| access_token | The issued OAuth 2.0 Bearer access token |
| token_type | Token type. The value is Bearer |
| scope | Space-separated list of OAuth 2.0 scopes granted to this token |
| issued_at | Unix timestamp (seconds since epoch) indicating when the token was issued |
| expires_in | Lifetime of the token in seconds from the moment it was issued |
Use Access Token
After obtaining an access token, the client must pass it in the Authorization header of each API request as a Bearer token:
Authorization: Bearer {access_token}
Access token is valid for 1 hour. After expiration, the client must call the token endpoint again and obtain a new access token.