Skip to main content
POST
/
auth
/
token
Generate Access Token
curl --request POST \
  --url https://api.fyatu.com/api/v3.20/auth/token \
  --header 'Content-Type: application/json' \
  --data '
{
  "businessId": "N1S0W3Q8P0V1E5M6Q4R3D8Z9",
  "secretKey": "sk_biz_your_plain_secret_key",
  "grantType": "client_credentials",
  "scopes": [
    "cards:read",
    "cards:write",
    "cardholders:read",
    "cardholders:write"
  ]
}
'
{
  "success": true,
  "status": 200,
  "message": "Token generated successfully",
  "data": {
    "accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJOMVMwVzNROFAwVjFFNU02UTRSMy...",
    "tokenType": "Bearer",
    "expiresIn": 86400,
    "expiresAt": "2026-05-01T10:30:00+00:00",
    "scopes": [
      "cards:read",
      "cards:write",
      "cardholders:read",
      "cardholders:write"
    ]
  },
  "meta": {
    "requestId": "req_9f3e2a1b4c5d67e8",
    "timestamp": "2026-04-30T10:30:00+00:00"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.fyatu.com/llms.txt

Use this file to discover all available pages before exploring further.

Getting Your Credentials: Login to FYATU Dashboard → Business Dashboard → Developer → API Credentials

Overview

Exchange your API credentials (businessId and secretKey) for a JWT access token. This token authenticates all V3.20 API requests. Specify only the scopes your integration needs.

Token Details

PropertyValue
AlgorithmJWT HS256
Expiry24 hours (86400 seconds)
Refresh windowUp to 5 minutes after expiry

Available Scopes

ScopeDescription
cards:readView cards and card transactions
cards:writeCreate, fund, freeze, replace, delete cards
cardholders:readView cardholder profiles
cardholders:writeCreate, update, delete cardholders; initiate KYC
programs:readView card programs and products
account:readView wallet, transactions, pricing, statement
webhooks:readView webhook configuration and event types
webhooks:writeUpdate webhook URL, regenerate secret, send test

Using the Token

Include the token in the Authorization header for all protected requests: 
curl -X GET https://api.fyatu.com/api/v3.20/cardholders \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Error Codes

CodeDescription
VALIDATION_ERRORMissing or invalid request parameters
AUTH_INVALID_CREDENTIALSBusiness not found or secret key mismatch
AUTH_BUSINESS_INACTIVEBusiness account is suspended or inactive
Request only the scopes your integration needs. A read-only reporting tool should only request *:read scopes — this limits the impact if the token is ever compromised.

Body

application/json
businessId
string
required

Your business ID

Example:

"N1S0W3Q8P0V1E5M6Q4R3D8Z9"

secretKey
string
required

Your plain-text secret key (shown once at generation)

Example:

"sk_biz_..."

grantType
enum<string>
required
Available options:
client_credentials
scopes
enum<string>[]

Scopes to grant. Omit to receive all scopes your business is eligible for.

Available options:
cards:read,
cards:write,
cardholders:read,
cardholders:write,
programs:read,
account:read,
webhooks:read,
webhooks:write

Response

Token generated successfully

success
boolean
status
integer
message
string
data
object
meta
object