OAuth API

Authenticate user with OAuth 2

POST/v2/oauth/revokeOAuth token revocation

Logs out a user by revoking an OAuth token as per ietf rfc7009.
formgrant_type
formclient_idOAuth Client id
formclient_secretOAuth Client id
formusername
formpassword
formscope
formmfa_tokenToken obtained from the verification api

Example: Authenticate and then revoke

POST/v1/authentications/password

{
"mfaToken": "59417a02-d35f-4e61-8230-50909f61b3dd",
"password": "fin8@53y38!4rj",
"clientId": "BoldAuthStaging",
"clientSecret": "cw3JrFa5vYQGGcm46pABAsPS",
"phoneNumber": "+40711111298"
}

Response

status200
headerAccess-Control-Expose-Headersauthorization, content-type
headerAccess-Control-Allow-Headersauthorization, content-type
headerAccess-Control-Allow-MethodsGET, POST, DELETE, OPTIONS, PUT
headerAccess-Control-Allow-Origin*
headerStrict-Transport-Securitymax-age=31536000; includeSubDomains
headerX-Frame-OptionsSAMEORIGIN
headerX-Content-Type-Optionsnosniff
headerX-XSS-Protection1; mode=block
headerContent-Security-Policydefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
headerReferrer-Policyno-referrer
headerFeature-Policyself
headerPermissions-policyinterest-cohort=()
{
"code": "2530c40b-0e57-4858-a92c-bbeb4f814a6c",
"expiration": "2026-03-10T09:42:49.242594122Z",
"accountId": 53,
"accountCreated": false
}

POST/v2/oauth/token

headerContent-Typeapplication/x-www-form-urlencoded
formgrant_typeauthorization_code
formcode2530c40b-0e57-4858-a92c-bbeb4f814a6c
formredirect_uriboldsmartlock%3A%2F%2Fauth
formclient_idBoldAuthStaging
formclient_secretcw3JrFa5vYQGGcm46pABAsPS

Response

status200
headerAccess-Control-Expose-Headersauthorization, content-type
headerAccess-Control-Allow-Headersauthorization, content-type
headerAccess-Control-Allow-MethodsGET, POST, DELETE, OPTIONS, PUT
headerAccess-Control-Allow-Origin*
headerStrict-Transport-Securitymax-age=31536000; includeSubDomains
headerX-Frame-OptionsSAMEORIGIN
headerX-Content-Type-Optionsnosniff
headerX-XSS-Protection1; mode=block
headerContent-Security-Policydefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
headerReferrer-Policyno-referrer
headerFeature-Policyself
headerPermissions-policyinterest-cohort=()
{
"access_token": "beab134e-6bb8-48ab-8778-c2b4acfcbc9f",
"refresh_token": "63238090-ef22-4c70-a6d7-381477664235",
"token_type": "Bearer",
"expires_in": 86400,
"account_id": 53
}

POST/v2/oauth/revoke

headerContent-Typeapplication/x-www-form-urlencoded
formtokenbeab134e-6bb8-48ab-8778-c2b4acfcbc9f
formtoken_type_hintaccess_token

Response

status200
headerAccess-Control-Expose-Headersauthorization, content-type
headerAccess-Control-Allow-Headersauthorization, content-type
headerAccess-Control-Allow-MethodsGET, POST, DELETE, OPTIONS, PUT
headerAccess-Control-Allow-Origin*
headerStrict-Transport-Securitymax-age=31536000; includeSubDomains
headerX-Frame-OptionsSAMEORIGIN
headerX-Content-Type-Optionsnosniff
headerX-XSS-Protection1; mode=block
headerContent-Security-Policydefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
headerReferrer-Policyno-referrer
headerFeature-Policyself
headerPermissions-policyinterest-cohort=()
{}

Example: revoke invalid token

POST/v2/oauth/revoke

headerContent-Typeapplication/x-www-form-urlencoded
formtoken17d67d53-4cf4-4947-8b82-013435e78ce5
formtoken_type_hintaccess_token

Response

status200
headerAccess-Control-Expose-Headersauthorization, content-type
headerAccess-Control-Allow-Headersauthorization, content-type
headerAccess-Control-Allow-MethodsGET, POST, DELETE, OPTIONS, PUT
headerAccess-Control-Allow-Origin*
headerStrict-Transport-Securitymax-age=31536000; includeSubDomains
headerX-Frame-OptionsSAMEORIGIN
headerX-Content-Type-Optionsnosniff
headerX-XSS-Protection1; mode=block
headerContent-Security-Policydefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
headerReferrer-Policyno-referrer
headerFeature-Policyself
headerPermissions-policyinterest-cohort=()
{}

Example: revoke random string

Shows that revoking a non-existing token will not result in an error. This prevents token guessing.

POST/v2/oauth/revoke

headerContent-Typeapplication/x-www-form-urlencoded
formtokenPqAscz7EKcHXhPxK
formtoken_type_hintaccess_token

Response

status200
headerAccess-Control-Expose-Headersauthorization, content-type
headerAccess-Control-Allow-Headersauthorization, content-type
headerAccess-Control-Allow-MethodsGET, POST, DELETE, OPTIONS, PUT
headerAccess-Control-Allow-Origin*
headerStrict-Transport-Securitymax-age=31536000; includeSubDomains
headerX-Frame-OptionsSAMEORIGIN
headerX-Content-Type-Optionsnosniff
headerX-XSS-Protection1; mode=block
headerContent-Security-Policydefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
headerReferrer-Policyno-referrer
headerFeature-Policyself
headerPermissions-policyinterest-cohort=()
{}