POST/v2/oauth/tokenOAuth Authentication

OAuth2 authentication as per OAuth 2.0. Keep in mind, grant_type 'password' is deprecated and we'll remove it completely in th near future.

form	grant_type
form	client_id
form	client_secret
form	username
form	password
form	scope
form	mfa_token	MFA token as obtained by the Verification API

Example: Authenticate with username and password

Removed with the OAuth 2.1 spec. Please use the Authentication API

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	password
form	client_id	BoldAppStaging
form	client_secret	aivM9yDBV2cngb4XeV8tJmyd
form	username	%2B40711111298
form	password	fin8%4053y38%214rj
form	scope	platform
form	mfa_token	cdb42109-feb8-4d55-b0ff-636cc6d1bc9e

Response

status	400
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "message": "This functionality is not supported. Please update the app to the latest version.", "code": "OldAppVersion", "errorMessage": "This functionality is not supported. Please update the app to the latest version.", "errorCode": "OldAppVersion" }

Example: Authenticate with authorization grant code

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	authorization_code
form	code	7f04be65-ace8-45cc-8c5a-7def1916b991
form	redirect_uri	https%3A%2F%2Fauthorization.sesamtechnology.com
form	client_id	BoldThirdPartyStaging
form	client_secret	nKgKVuwrbV59wMZH6XXgJ3Ja

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "access_token": "9e01439a-20d9-40b9-ae0c-fadec8b8504a", "refresh_token": "f2e59b9e-e195-4d32-8bec-bccf0c6ca153", "token_type": "Bearer", "expires_in": 86400, "account_id": 49 }

Example: Refresh authentication token

POST/v1/authentications/password

{

"mfaToken": "af8337b5-311f-4abf-9fa3-9a51ff8db340",

"password": "fin8@53y38!4rj",

"clientId": "BoldAuthStaging",

"clientSecret": "cw3JrFa5vYQGGcm46pABAsPS",

"phoneNumber": "+40711111298"

}

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "code": "b51b918e-3e85-4086-aec5-370dd61d8bd3", "expiration": "2026-03-10T09:42:45.553536044Z", "accountId": 50, "accountCreated": false }

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	authorization_code
form	code	b51b918e-3e85-4086-aec5-370dd61d8bd3
form	redirect_uri	boldsmartlock%3A%2F%2Fauth
form	client_id	BoldAuthStaging
form	client_secret	cw3JrFa5vYQGGcm46pABAsPS

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "access_token": "199e3162-80cb-4acf-9281-f58487879c32", "refresh_token": "40156dc1-8920-4360-afeb-168925d31aba", "token_type": "Bearer", "expires_in": 86400, "account_id": 50 }

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	refresh_token
form	client_id	BoldAuthStaging
form	client_secret	cw3JrFa5vYQGGcm46pABAsPS
form	refresh_token	40156dc1-8920-4360-afeb-168925d31aba

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "access_token": "cd5bc01e-ae01-4a69-b9d6-4d3c65d087b0", "refresh_token": "dd480b2f-3b46-4321-9e5b-026511d00486", "token_type": "Bearer", "expires_in": 86400, "account_id": 50 }

Example: Authenticate twice in a row for the same client

POST/v1/authentications/password

{

"mfaToken": "52053dec-81d1-449c-ab4d-cf93a1c6b495",

"password": "fin8@53y38!4rj",

"clientId": "BoldAuthStaging",

"clientSecret": "cw3JrFa5vYQGGcm46pABAsPS",

"phoneNumber": "+40711111298"

}

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "code": "c5bb6168-a1f7-403b-a172-3682dfd1d61c", "expiration": "2026-03-10T09:42:46.770395707Z", "accountId": 51, "accountCreated": false }

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	authorization_code
form	code	c5bb6168-a1f7-403b-a172-3682dfd1d61c
form	redirect_uri	boldsmartlock%3A%2F%2Fauth
form	client_id	BoldAuthStaging
form	client_secret	cw3JrFa5vYQGGcm46pABAsPS

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "access_token": "41352fcb-b434-4fe4-aaa0-654d9b4f4053", "refresh_token": "7391383b-89ff-415d-bb4b-083d4b5f818b", "token_type": "Bearer", "expires_in": 86400, "account_id": 51 }

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	authorization_code
form	code	c5bb6168-a1f7-403b-a172-3682dfd1d61c
form	redirect_uri	boldsmartlock%3A%2F%2Fauth
form	client_id	BoldAuthStaging
form	client_secret	cw3JrFa5vYQGGcm46pABAsPS

Response

status	400
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "error": "invalid_request", "error_description": "InvalidGrantCode", "message": "OAuth failure", "errorMessage": "OAuth failure" }

Example: Authenticate, then use token with old system

POST/v1/authentications/password

{

"mfaToken": "b4b9d03a-4384-40a1-b53a-98978bfe71b9",

"password": "fin8@53y38!4rj",

"clientId": "BoldAuthStaging",

"clientSecret": "cw3JrFa5vYQGGcm46pABAsPS",

"phoneNumber": "+40711111298"

}

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "code": "e3f2cf8a-073b-4413-9442-68dd1e11ec60", "expiration": "2026-03-10T09:42:47.957536019Z", "accountId": 52, "accountCreated": false }

POST/v2/oauth/token

header	Content-Type	application/x-www-form-urlencoded
form	grant_type	authorization_code
form	code	e3f2cf8a-073b-4413-9442-68dd1e11ec60
form	redirect_uri	boldsmartlock%3A%2F%2Fauth
form	client_id	BoldAuthStaging
form	client_secret	cw3JrFa5vYQGGcm46pABAsPS

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "access_token": "9c273f53-df0f-4f4f-afcd-3f5be3b4e3d1", "refresh_token": "287f7b7e-9a9e-4a58-87b0-1545b28f2b29", "token_type": "Bearer", "expires_in": 86400, "account_id": 52 }

GET/v1/accounts

header	Authorization	Bearer 9c273f53-df0f-4f4f-afcd-3f5be3b4e3d1

Response

status	200
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
[{ "id": 52, "email": "sesam@example.com", "phone": "+40711111298", "phoneCountryCode": "RO", "isSystemAccount": false, "isSupportAccount": false, "isSystemIntegration": false, "dateCreated": "2026-03-10T09:32:47.714393Z", "dateModified": "2026-03-10T09:32:48.239216Z", "dateLastAuthentication": "2026-03-10T09:32:48.222947Z", "registered": true }]

GET/v1/accounts

header	X-Auth-Token	9c273f53-df0f-4f4f-afcd-3f5be3b4e3d1

Response

status	401
header	Access-Control-Expose-Headers	authorization, content-type
header	Access-Control-Allow-Headers	authorization, content-type
header	Access-Control-Allow-Methods	GET, POST, DELETE, OPTIONS, PUT
header	Access-Control-Allow-Origin	*
header	Strict-Transport-Security	max-age=31536000; includeSubDomains
header	X-Frame-Options	SAMEORIGIN
header	X-Content-Type-Options	nosniff
header	X-XSS-Protection	1; mode=block
header	Content-Security-Policy	default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'
header	Referrer-Policy	no-referrer
header	Feature-Policy	self
header	Permissions-policy	interest-cohort=()
{ "message": "Authentication is possible but has failed or not yet been provided.", "errorMessage": "Authentication is possible but has failed or not yet been provided." }

← OAuth API

Authenticate user with OAuth 2

POST/v2/oauth/tokenOAuth Authentication

Example: Authenticate with username and password

POST/v2/oauth/token

Response

Example: Authenticate with authorization grant code

POST/v2/oauth/token

Response

Example: Refresh authentication token

POST/v1/authentications/password

Response

POST/v2/oauth/token

Response

POST/v2/oauth/token

Response

Example: Authenticate twice in a row for the same client

POST/v1/authentications/password

Response

POST/v2/oauth/token

Response

POST/v2/oauth/token

Response

Example: Authenticate, then use token with old system

POST/v1/authentications/password

Response

POST/v2/oauth/token

Response

GET/v1/accounts

Response

GET/v1/accounts

Response