openapi: 3.1.0 info: title: Tink OAuth and Authorization API description: > OAuth 2.0 client-credentials, refresh, and delegated authorization-grant endpoints that gate every Tink data, payments, and reporting API. Tink issues client access tokens for server-to-server calls, user access tokens on behalf of an end user, and short-lived authorization codes that the Tink Link flow exchanges for user tokens. All other Tink APIs require a Bearer token issued by this service. version: '1.0' contact: name: Tink Developer Support url: https://docs.tink.com/ license: name: Tink Terms of Service url: https://tink.com/terms-and-conditions/ servers: - url: https://api.tink.com description: Tink EU Production - url: https://api.us.tink.com description: Tink US Production security: - BearerAuth: [] tags: - name: OAuth description: Token, authorization, and delegated grant endpoints. - name: User description: Permanent user lifecycle management. paths: /api/v1/oauth/token: post: summary: Tink Create An OAuth Token description: > Issue an OAuth 2.0 access token. Supports `client_credentials` for server-side calls, `authorization_code` to exchange a Tink Link or delegated grant code for a user token, and `refresh_token` to renew an existing user token without re-authentication. operationId: createOauthToken tags: - OAuth requestBody: required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/TokenRequest' responses: '200': description: Access token issued. content: application/json: schema: $ref: '#/components/schemas/TokenResponse' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' /api/v1/oauth/authorization-grant: post: summary: Tink Create An Authorization Grant description: > Mint a one-time authorization code for an existing permanent user. The returned `code` is exchanged at `/api/v1/oauth/token` with `grant_type=authorization_code` to obtain a user access token scoped to the requested data products. operationId: createAuthorizationGrant tags: - OAuth requestBody: required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/AuthorizationGrantRequest' responses: '200': description: Authorization code issued. content: application/json: schema: $ref: '#/components/schemas/AuthorizationGrantResponse' '400': $ref: '#/components/responses/BadRequest' /api/v1/oauth/authorization-grant/delegate: post: summary: Tink Create A Delegated Authorization Grant description: > Mint a delegated authorization code for a user who has not yet connected a bank, returning a Tink Link URL the customer can launch to authenticate with their bank and consent to the requested scopes. operationId: createDelegatedAuthorizationGrant tags: - OAuth requestBody: required: true content: application/x-www-form-urlencoded: schema: $ref: '#/components/schemas/DelegatedAuthorizationGrantRequest' responses: '200': description: Delegated authorization code issued. content: application/json: schema: $ref: '#/components/schemas/AuthorizationGrantResponse' '400': $ref: '#/components/responses/BadRequest' /api/v1/user/create: post: summary: Tink Create A Permanent User description: > Create a permanent Tink user identified by `external_user_id` for repeat data access. Required before delegating authorization for continuous-access products such as Transactions, Balance Check, and Account Check refreshes. operationId: createUser tags: - User requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserRequest' responses: '200': description: User created. content: application/json: schema: $ref: '#/components/schemas/UserResponse' '400': $ref: '#/components/responses/BadRequest' /api/v1/user/delete: post: summary: Tink Delete A User description: Permanently delete a Tink user and all associated credentials. operationId: deleteUser tags: - User responses: '204': description: User deleted. '401': $ref: '#/components/responses/Unauthorized' components: securitySchemes: BearerAuth: type: http scheme: bearer bearerFormat: JWT schemas: TokenRequest: type: object required: - grant_type properties: grant_type: type: string enum: [client_credentials, authorization_code, refresh_token] client_id: type: string client_secret: type: string code: type: string refresh_token: type: string scope: type: string TokenResponse: type: object properties: access_token: type: string token_type: type: string example: bearer expires_in: type: integer format: int32 refresh_token: type: string scope: type: string id_hint: type: string AuthorizationGrantRequest: type: object required: - external_user_id - scope properties: external_user_id: type: string scope: type: string id_hint: type: string DelegatedAuthorizationGrantRequest: type: object required: - scope properties: external_user_id: type: string actor_client_id: type: string scope: type: string id_hint: type: string AuthorizationGrantResponse: type: object properties: code: type: string CreateUserRequest: type: object required: - external_user_id - market - locale properties: external_user_id: type: string market: type: string example: GB locale: type: string example: en_US retention_class: type: string enum: [PERMANENT, TEMPORARY] UserResponse: type: object properties: user_id: type: string external_user_id: type: string Error: type: object properties: errorMessage: type: string errorCode: type: string responses: BadRequest: description: Invalid request. content: application/json: schema: $ref: '#/components/schemas/Error' Unauthorized: description: Missing or invalid bearer token. content: application/json: schema: $ref: '#/components/schemas/Error'