Alipay+Alipay+

applyTokenACQP → Alipay+

POST /aps/api/v1/authorizations/applyToken

The applyToken API is used by the Acquiring Service Provider (ACQP) to obtain an access token, which is used for the purposes such as:

  •  to initiate an Auto Debit payment.
  •  to initiate a one-time password (OTP) verification process.

The applyToken API is used in the following cases:

  • After the auth client (which is usually the merchant) receives the auth code, the ACQP requests the access token from Alipay+. In this case, the applyToken API generally needs to be used with the prepare API.
  • The auth client requests a new access token by using the refresh token when an existing access token is about to expire or has expired. 

Notes:

  • A refresh token can only be used to get a new access token within the refresh token expiry time. To get a new access token after the refresh token expires, the ACQP must reinitiate the authorization process.
  • In the following sections, Mobile Payment Provider (MPP ) is also known as PSP. For example, pspId refers to the ID that identifies an MPP, and acquirerId refers to the ID that identifies an ACQP. 

Structure

A message consists of a header and body. The following sections are focused on the body structure. For the header structure, see:

Note

Set the data type of each field (except array) as String. This means that you must use double quotation marks (" ") to enclose the field value. Examples:

  • If the data type of a field is Integer and its value is 20, set it as "20".
  • If the data type of a field is Boolean and its value is true, set it as "true". 

Request parameters

authClientId String  REQUIRED

The unique ID that is assigned by the ACQP to identify the auth client, which is usually the merchant. 

More information about this field:

  • Maximum length: 64 characters

grantType String  REQUIRED

This parameter specifies the method through which the auth client can get the access token. Valid values are:

  • AUTHORIZATION_CODE: indicates that the auth client uses the authorization code (authCode) to get an access token.
  • REFRESH_TOKEN: indicates that the auth client uses the refresh token (refreshToken) to get a new access token to replace the existing one. 

authCode String  

The authorization code that is used by the auth client to get the access token. The value of the authCode parameter is extracted from the reconstructed redirection URL that is returned from the MPP or obtained from the authNotify API request.

Note: Required if the value of the grantType parameter is AUTHORIZATION_CODE

More information about this field:

  • Maximum length: 64 characters

refreshToken String  

The refresh token that is used by the auth client to get a new access token to replace the existing one. With this parameter, valid access tokens can be obtained continuously without further interaction with the user.

Note: Required if the value of the grantType parameter is REFRESH_TOKEN

More information about this field:

  • Maximum length: 128 characters

passThroughInfo String  

The information that is passed through by the ACQP to Alipay+. The value of this parameter is in the set of key-value pairs.

Note: Specify this parameter if the ACQP wants to pass information to the MPP. 

More information about this field:

  • Maximum length: 20000 characters

Response parameters

result Result object REQUIRED

The result of applying the token. If the value of the result.resultCode parameter is SUCCESS, the token is returned. See Result processing logic for details. 

Show child parameters

pspId String  

The unique ID that is assigned by Alipay+ to identify an MPP.

Note: Returned if the value of the result.resultCode parameter is SUCCESS

More information about this field:

  • Maximum length: 64 characters

acquirerId String  

The unique ID that is assigned by Alipay+ to identify an ACQP.

Note: Returned if the value of the result.resultCode parameter is SUCCESS

More information about this field:

  • Maximum length: 64 characters

accessToken String  

The token that is used to access the MPP user's resources.

Note: Returned if the value of the result.resultCode parameter is SUCCESS

More information about this field:

  • Maximum length: 128 characters

accessTokenExpiryTime Datetime  

The access token expiration time, after which the access token cannot be used.

Note: Returned if the value of the result.resultCode parameter is SUCCESS.  

More information about this field:

  • The value follows the ISO 8601 standard format. For example, "2019-11-27T12:01:01+08:00".

refreshToken String  

The refresh token that is used by the auth client to get a new access token to replace the existing one. With this parameter, valid access tokens can be obtained continuously without further interaction with the user.

Notes:

  • Returned if the value of the result.resultCode parameter is SUCCESS and the access token is short-term effective.
  • This parameter is not returned if the access token is long-term effective, that is, 10 years or longer.

More information about this field:

  • Maximum length: 128 characters

refreshTokenExpiryTime Datetime  

The refresh token expiration time, after which the refresh token cannot be used. Usually, the refresh token has a longer validity than the access token. 

Note: Returned if the value of the result.resultCode parameter is SUCCESS and the access token is short-term effective. 

More information about this field:

  • The value follows the ISO 8601 standard format. For example, "2019-11-27T12:01:01+08:00".

customerId String  

The unique ID that is assigned by Aliapy+ to identify an MPP user. 

Note: Returned only if the value of the result.resultCode parameter is SUCCESS and the MPP provides a unique ID that identifies the user. 

More information about this field:

  • Maximum length: 64 characters

userLoginId String  

The ID that is used by the user to log in to the MPP platform. The value of userLoginId can be the user's email address or the phone number and is desensitized when returned to the ACQP. The merchant can use this parameter to learn the identity of the user that has completed the authorization.

Note: Required if the value of the result.resultCode parameter is SUCCESS and the value of the scopes parameter of the prepare API contains USER_LOGIN_ID

More information about this field:

  • Maximum length: 64 characters

passThroughInfo String  

The information that is passed through by Alipay+ to the ACQP. The value of this parameter is in the set of key-value pairs.

Note: Returned by the Alipay+ if the MPP wants to pass information to the ACQP. 

More information about this field:

  • Maximum length: 20000 characters

walletForAccountBinding Wallet object 

The wallet that is selected by the user for binding with the user's merchant account.

Note: Required when result.resultCode is SUCCESS

Show child parameters
API Explorer
Sample CodesRun in Sandbox

Request

URL
Case
Apply the access token
Request Body

Response

Case
Authorization result
Response Body

More information

Samples

In this interface, sample requests and responses are provided. Details for these samples are as follows:

Apply the access token

Request

1. The ACQP requests the access token. 

Sample Code

Response 

1.1 Alipay+ sends a response with the access token and the refresh token to the ACQP. 

Sample Code

1.2 Alipay+ sends the authorization result with a long-term effective access token to the ACQP. In this case, refresh token is not included. 

Sample Code

Refresh the access token

Request

1. The ACQP use the refresh token to request a new access token. 

Sample Code

Response

2. Alipay+ sends a response with the new access token to the ACQP. 

Sample Code

Response conditionality

If the access token is long-term effective (for example, 15 years), the refresh token is not included in the response. 

Result processing logic

For different request results, different actions are to be performed. See the following list for details:  

result.resultStatus

result.resultCode

Actions

S

SUCCESS

The request is successful and the access token is returned. The auth client can use the access token to access the corresponding user's resources.

F

...

Handle the error according to the result code table.

U

...

The auth client can guide the user to try again.

No result received

The auth client can guide the user to try again.

Result/Error codes

CodeValueMessageFurther action
SUCCESSSSuccess

The authorization is completed. Store the accessToken and other related parameters.

ACCESS_DENIEDFAccess is denied.

It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue.

EXPIRED_REFRESH_TOKENFThe refresh token is expired.

The auth client can guide the user to reinitiate the authorization flow.

INVALID_AUTHCODEFThe authorization code is invalid.

Ensure that the authorization code is valid and obtained from Alipay+. If the problem persists, it is recommended that the auth client guide the user to reinitiate the authorization flow.

INVALID_CLIENTFThe client is invalid.

It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue.

INVALID_REFRESH_TOKENFThe refresh token is invalid.

Ensure that the refresh token is valid and obtained from Alipay+. If the problem persists, it is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue.

INVALID_SIGNATUREFThe signature is invalid.

Check whether the public key, signed message, and signature algorithm are as expected.

KEY_NOT_FOUNDFThe key is not found.

It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue.

MEDIA_TYPE_NOT_ACCEPTABLEFThe server does not implement the media type that is acceptable to the client.

Use a media type that is accepted by Alipay+.

METHOD_NOT_SUPPORTEDFThe server does not implement the requested HTTPS method.

Ensure the HTTP method is POST.

NO_INTERFACE_DEFFAPI is not defined.

Check whether the request URL is correct. Ensure that the endpoint of the called API is correct.

PARAM_ILLEGALFIllegal parameters. For example, non-numeric input, invalid date.

Check whether the request parameters, including the header parameters and body parameters, are correct and valid. For more information about the parameters of each API, see the Structure section of the specific API reference topic.

PROCESS_FAILFA general business failure occurred. Do not retry.

It is recommended that you contact connect_support@service.alipay.com to troubleshoot the issue.

REQUEST_TRAFFIC_EXCEED_LIMITUThe request traffic exceeds the limit.

Reduce the frequency of API calls.

UNKNOWN_EXCEPTIONUAn API call failed, which is caused by unknown reasons.

Try to recall the API.