Acquire service account token

To acquire a new API token with OAuth 2.0, you need four pieces of information from the Tango portal—the client ID, client secret, service account username, and service account password. With the above information, use thePOST {URI}/oauth/token endpoint to acquire a new token. To get the client ID, client secret, username, and password, refer to Use OAuth for secure connection.

📘

Note:

  • A token can either have a Time-to-Live (TTL) of either 24 hours (86,400 seconds) or 5 mins (300 seconds), and is determined by the audienceyou select at the time of token creation.
  • An access token can only be used for the TTL period once created. Create a new token at least once every TTL period to authenticate calls. New tokens can be generated using the same client credentials and service accounts, or the updated credentials.

Endpoint

Use the following endpoint to request a new OAuth token:

EndpointDescription
POST {URI}/oauth/tokenTo acquire a new OAuth token.

Parameters

The following parameters are used when requesting an OAuth token from Tango. This token is required before calling any protected Tango APIs:

Form DataData typeRequirementDescription
client_idstringrequiredThe client_id is a variable referring to the Client ID field value generated in the Tango portal under OAuth client credentials.
client_secretstringrequiredThe client_secret is a variable referring to the Client Secret field value generated in the Tango portal under OAuth client credentials.
usernamestringrequiredThe Service Account username created in the Tango portal under OAuth Service Accounts.
passwordstringrequiredThe Service Account password created in the Tango portal under OAuth Service Accounts.
scopestringrequiredList of space-separated OAuth scopes, static, the value is always raas.all.
audiencestringrequiredAudience determines token TTL:
  • https://api.tangocard.com -->24-hour TTL
  • api.bhn.com/fiveminute --> 5-minute token
grant_typestringrequiredgrant_type is currently password for this integration flow. This corresponds to the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant used by this API.

Headers provide metadata about an HTTP request, telling the server how to parse the incoming data and what format to use when returning the response. The following headers are used in your request:

HeadersRequirementData type
Content-typeoptionalstring
Acceptoptionalstring

Examples

These examples use the sandbox endpoint. For production, use the production auth endpoint configured for your platform. Confirm endpoint hostnames in the API testing/reference documentation before go-live.

Here's an example of the above parameters in the code to create a 24-hour token:

curl --request POST \
    --url https://sandbox-auth.tangocard.com/oauth/token \
    --header ‘Accept: application/json’ \
    --header ‘Content-Type: application/x-www-form-urlencoded’ \
    --data client_id= string \
    --data client_secret=string\
    --data username=string \
    --data 'password=string' \
    --data scope=raas.all \
    --data audience=https://api.tangocard.com/ \
    --data grant_type=password

Here's an example of the returned payload:

{
  "access_token": "<string>",
  "scope": "<string>",
  "expires_in": "<integer>",
  "token_type": "Bearer"
}


Using DPoP with this endpoint (optional)

This endpoint also supports DPoP for enhance security. If your platform has DPoP enabled, include a DPoP HTTP header in your token request containing a DPoP Proof JWT. All existing form parameters remain the same; only the DPoP header is added.

Additional HeaderRequirementDescription
DPoPRequired when using DPoPA signed DPoP Proof JWT with htm=POST and htu set to the token endpoint URI. See "Use OAuth with DPoP for maximum security" for instructions on how to construct a proof.

Here's an example of DPoP token request:

curl --request POST \
  --url https://sandbox-auth.tangocard.com/oauth/token \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'DPoP: <dpop_proof_jwt>' \
  --data client_id=string \
  --data client_secret=string \
  --data username=string \
  --data 'password=string' \
  --data scope=raas.all \
  --data audience=https://api.tangocard.com/ \
  --data grant_type=password

Here's the DPoP token response:

{
  "access_token": "<string>",
  "scope": "raas.all",
  "expires_in": 86400,
  "token_type": "DPoP"
}

When DPoP is active, token_type is DPoP rather than Bearer. Use Authorization: DPoP (not Authorization: Bearer ) on all subsequent API calls.


Response codes

The response message for this endpoint is. For details, see i18nkey codes and their error messages:

  • 200 OK
  • 400 Bad Request
  • 401 Unauthorized

© 2026 Tango API are provided by Tango, a division of BHN, Inc.