# applyToken

The Mobile Payment Provider (MPP) uses the **applyToken** API to provide an access token to Alipay+. Access tokens are used for the purposes such as:

-   to initiate an Auto Debit payment.
-   to initiate a one-time password (OTP) verification process.

The **applyToken** API is used in the following cases:

-   After the auth client receives the auth code, Alipay+ requests the access token from the MPP.
-   The auth client requests a new access token by using the refresh token when an existing access token is about to expire or has expired.

-   After the auth client receives the auth code, Alipay+ requests the customer ID from the MPP for payments in the Chinese mainland. 

> **Note**:
>
> -   A refresh token can only be used to get a new access token within the refresh token expiry time.
> -   In the following sections, the Mobile Payment Partner (MPP) is also known as PSP. For example, _pspId_ refers to the ID that identifies an MPP.

# Structure

A message consists of a header and body. The following sections are focused on the body structure. For the header structure, see:

-   [Request header](https://docs.alipayplus.com/alipayplus/alipayplus/api_mpp/api_overview.md#3mLq0)
-   [Response header](https://docs.alipayplus.com/alipayplus/alipayplus/api_mpp/api_overview.md#YdmVS) 

> **Note**:
>
> 1.  Set the data type of each parameter (except array) as String. This means that you must use double quotation marks (" ") to enclose the parameter value. Examples:
>
> -   If the data type of a parameter is Integer and its value is 20, set it as "20".
> -   If the data type of a parameter is Boolean and its value is `true`, set it as "true".
>
> 2.  For optional parameters that are not required in your case, you can take one of the following actions:
>
> -   Exclude the parameters from the request body.
> -   Set the parameter values as `null` (without the double quotation marks).
>
> Do NOT leave the optional parameters empty by setting their values as `""`; otherwise, an error might occur.

## Request parameters

#### pspId (String, REQUIRED)

The unique ID that is assigned by Alipay+ to identify an MPP.

More information:

- Maximum length: 64 characters

#### acquirerId (String, REQUIRED)

The unique ID that is assigned by Alipay+ to identify an ACQP.

More information:

- Maximum length: 64 characters

#### grantType (String, REQUIRED)

This parameter specifies the method through which the auth client can get the access token. Valid values are:

-   `AUTHORIZATION_CODE`: indicates that the auth client uses the authorization code (_authCode_) to get an access token.
-   `REFRESH_TOKEN`: indicates that the auth client uses the refresh token (_refreshToken_) to get a new access token to replace the existing one.

#### authCode (String)

The authorization code that is used by the auth client to get the access token. The MPP generates the authorization code after the user completes the authorization.

**Notes**: 

-   The first 8 digits of the authorization code must be in the format of `281***13`. The fourth to sixth digits are assigned by Alipay+.
-   Required when the value of the _grantType_ parameter is `AUTHORIZATION_CODE`.

More information:

- Maximum length: 32 characters

#### refreshToken (String)

The refresh token that is used by the auth client to get a new access token to replace the existing one. With this parameter, valid access tokens can be obtained continuously without further interaction with the user.

This parameter is specified by Alipay+ if the value of the _grantType_ parameter is `REFRESH_TOKEN`.

More information:

- Maximum length: 128 characters

#### passThroughInfo (String)

The information that is passed through by Alipay+ to the MPP. The value of this parameter is in the set of key-value pairs.

This parameter is specified by Alipay+ if the ACQP wants to pass information to the MPP.

More information:

- Maximum length: 20000 characters

#### indirectMpp (IndirectMpp)

Information about the indirect MPP.

Specify this parameter when the payment involves an indirect MPP, for example, when the payment is processed through a special payment network.

##### indirectMppId (String, REQUIRED)

The indirect MPP ID.

More information:

- Maximum length: 64 characters

##### indirectMppName (String)

The legal name of the indirect MPP.

More information:

- Maximum length: 256 characters

## Response parameters

#### result (Result, REQUIRED)

The result of applying the token. If the value of the _result_._resultCode_ parameter is `SUCCESS`, the token is successfully sent to Alipay+. For more information about how to return the result, see _How to return the result_.

##### resultCode (String, REQUIRED)

The result code that indicates the detailed processing result.

More information:

- Maximum length: 64 characters

##### resultStatus (String, REQUIRED)

The result status that indicates the processing result. Valid values are:

-   `S`: Successful
-   `F`: Failed
-   `U`: Unknown

##### resultMessage (String)

The result message that describes the result code in detail.

It is recommended that you specify this parameter to provide details about the result.

More information:

- Maximum length: 256 characters

#### accessToken (String)

The token that is used to access the MPP user's resources.

Return this parameter if the value of the _result.resultCode_ parameter is `SUCCESS`.

More information:

- Maximum length: 128 characters

#### accessTokenExpiryTime (Datetime)

The access token expiration time, after which the access token cannot be used.

Return this parameter if the value of the _result.resultCode_ parameter is `SUCCESS`.

More information:

- The value follows the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) standard format. For example, "2019-11-27T12:01:01+08:00".

#### refreshToken (String)

The refresh token that is used by the auth client to get a new access token to replace the existing one. With this parameter, valid access tokens can be obtained continuously without further interaction with the user. The value of this parameter must follow the Alipay+ coding standard.

Return this parameter if the value of the _result.resultCode_ parameter is `SUCCESS` and the access token is short-term effective. You are not required to return this parameter if the access token is long-term effective, that is, 10 years or longer.

More information:

- Maximum length: 128 characters

#### refreshTokenExpiryTime (Datetime)

The refresh token expiration time, after which the refresh token cannot be used. It is recommended that the refresh token is valid longer than the access token.

Return this parameter if the value of the _result.resultCode_ parameter is `SUCCESS` and the _accessToken_ is short-term effective.

More information:

- The value follows the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) standard format. For example, "2019-11-27T12:01:01+08:00".

#### customerId (String)

The unique ID that is assigned by the MPP to identify an MPP user.

Return this parameter if the value of the _result.resultCode_ parameter is `SUCCESS`.

More information:

- Maximum length: 64 characters

#### userLoginId (String)

The login ID that is used by the user to log in to the MPP platform. The value of _userLoginId_ can be the user's email address or phone number and is desensitized when returned to the ACQP. The merchant will display the desensitized login ID to the user on payment initialization.

Return this parameter if the value of the _result.resultCode_ parameter is `SUCCESS` and the value of the _scopes_ parameter of the **prepare** API contains `USER_LOGIN_ID`.

More information:

- Maximum length: 64 characters

#### passThroughInfo (String)

The information that is passed through by Alipay+ to the MPP. The value of this parameter is in the set of key-value pairs.

Return this parameter if the MPP wants to pass information to the ACQP.

More information:

- Maximum length: 20000 characters

## More information

### How to return the result

According to the request processing result, the MPP needs to return the corresponding result (specified by the result parameter):

-   If the token application succeeds, set the value of _result.resultStatus_ to `S` and the value of _result.resultCode_ to `SUCCESS`.
-   If the token application fails, set the value of _result.resultStatus_ to `F` and the value of _result.resultCode_ accordingly.
-   If the token application result is unknown, set the value of _result.resultStatus_ to `U` and the value of _result.resultCode_ accordingly.

For more information about how to define your result codes, see the _Result codes_ section below. 

### **Sample**

#### **Apply the access token**

 Alipay+ requests the access token from the MPP.

1\. Alipay+ sends the request to the Mobile Payment Provider.  

{
  "acquirerId":"102218800000000001",
  "pspId":"102208800000000001",
  "authCode": "281010133AB2F588D14B432312345678",
  "grantType": "AUTHORIZATION\_CODE"
}

2\. The MPP returns the access token to Alipay+.

{
  "result": {
    "resultCode": "SUCCESS",
    "resultMessage": "success",
    "resultStatus": "S"
  },
  "accessToken": "281010033AB2F588D14B43238637264FCA5AAF35",
  "accessTokenExpiryTime": "2022-06-06T12:12:12+08:00",
  "refreshToken": "2810100334F62CBC577F468AAC87CFC6C9107811",
  "refreshTokenExpiryTime": "2022-06-08T12:12:12+08:00",
  "customerId":"2789808900000000000000001",
  "userLoginId":"62-\*\*\*2736"
}

#### **Refresh the access token**

Use the **refreshToken** to request a new access token.

1\. Alipay+ sends a request to obtain a new access token.

{
  "acquirerId":"102218800000000001",
  "pspId":"102208800000000001",
  "refreshToken": "2810100334F62CBC577F468AAC87CFC6C9107811",
  "grantType": "REFRESH\_TOKEN"
}

2\. The MPP returns the access token to Alipay+.  

{
  "result": {
    "resultCode": "SUCCESS",
    "resultMessage": "success",
    "resultStatus": "S"
  },
  "accessToken": "281010033AB2F588D14B43238637264FCA5AAF35",
  "accessTokenExpiryTime": "2022-06-06T12:12:12+08:00",
  "refreshToken": "2810100334F62CBC577F468AAC87CFC6C9107811",
  "refreshTokenExpiryTime": "2022-06-08T12:12:12+08:00",
  "customerId":"2789808900000000000000001",
  "userLoginId":"62-\*\*\*2736"
}

## Result/Error codes

| Code | Value | Message |
| --- | --- | --- |
| SUCCESS | S | Success |
| ACCESS_DENIED | F | Access is denied. |
| EXPIRED_REFRESH_TOKEN | F | The refresh token is expired. |
| INVALID_AUTHCODE | F | The authorization code is invalid. |
| INVALID_CLIENT | F | The client is invalid. |
| INVALID_REFRESH_TOKEN | F | The refresh token is invalid. |
| INVALID_SIGNATURE | F | The signature is invalid. |
| KEY_NOT_FOUND | F | The key is not found. |
| MEDIA_TYPE_NOT_ACCEPTABLE | F | The server does not implement the media type that is acceptable to the client. |
| METHOD_NOT_SUPPORTED | F | The server does not implement the requested HTTPS method. |
| NO_INTERFACE_DEF | F | API is not defined. |
| PARAM_ILLEGAL | F | Illegal parameters. For example, non-numeric input, invalid date. |
| PROCESS_FAIL | F | A general business failure occurred. Do not retry. |
| REQUEST_TRAFFIC_EXCEED_LIMIT | U | The request traffic exceeds the limit. |
| UNKNOWN_EXCEPTION | U | An API call failed, which is caused by unknown reasons. |

## Request

### AUTH_CODE_APPLY, ACCESSTOKEN_APPLY

```json
{
  "acquirerId": "102218800000000001",
  "pspId": "102208800000000001",
  "authCode": "281010133AB2F588D14B432312345678",
  "grantType": "AUTHORIZATION_CODE",
  "indirectMpp": {
    "indirectMppId": "xxxMppId",
    "indirectMppName": "xxxMppName"
  }
}
```

## Response

### AUTH_CODE_APPLY, AUTH_CODE_REPONSE, AUTH_CODE_RESPONSE

```json
{
  "result": {
    "resultCode": "SUCCESS",
    "resultMessage": "success",
    "resultStatus": "S"
  },
  "accessToken": "281010033AB2F588D14B43238637264FCA5AAF35",
  "accessTokenExpiryTime": "2022-06-06T12:12:12+08:00",
  "refreshToken": "2810100334F62CBC577F468AAC87CFC6C9107811",
  "refreshTokenExpiryTime": "2022-06-08T12:12:12+08:00",
  "customerId": "2789808900000000000000001",
  "userLoginId": "62-34312736"
}
```