# Mint an Access Token with an OAuth Access Key

Use this flow when OAuth is enabled for your merchant and you want to authenticate merchant API requests with an OAuth 2.0 Client Credentials bearer token instead of HTTP Basic Auth.

This guide covers only the token exchange flow. For Direct API setup, enabling OAuth, and managing access keys in Merchant Dashboard, see [Direct API Access and Authentication](/guides/direct-api-access-and-authentication).

## Before you begin

In Merchant Dashboard, navigate to `Settings > Integrations > Direct API`.

Make sure:

- OAuth is enabled
- you have a valid access key
- you have copied the access key's `client_id` and `client_secret`


## 1. Exchange the access key for a bearer token

Send a `POST` request to `/access-keys/token` with the access key credentials in the request body.

This token-minting request does not use an `Authorization` header. The `client_id` and `client_secret` in the request body are the credentials used to authenticate the request.


```bash
curl https://app.resolvepay.com/api/access-keys/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "<client_id>",
    "client_secret": "<client_secret>"
  }'
```

Example response:


```json
{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 86400,
  "scope": "merchant:read merchant:write"
}
```

## 2. Use the bearer token

Include the returned token in the `Authorization` header when calling the merchant API:


```bash
curl https://app.resolvepay.com/api/customers \
  -H "Authorization: Bearer <access_token>"
```

## Notes

- Expired access keys cannot mint tokens.
- Revoked access keys cannot mint tokens.
- If OAuth is disabled in Merchant Dashboard, bearer-token requests will not be authorized for merchant API calls.


## API Reference

See the merchant API reference for the token endpoint:

- `POST /access-keys/token`