# Login
### User Authentication and Authorization Initialization
## POST /in-store/oauth2/authorize
> This service starts the authorization step and generates an "auth code".\
> \
> Flow:\
> 1\) A request is sent to this service with a form-urlencoded body.\
> 2\) The "code" value in the response is received.\
> 3\) The received "code" value is used in the "Get Token with Auth Code" service to generate a token.
```json
{"openapi":"3.0.3","info":{"title":"Terminal API – Outside Flow","version":"1.0.3"},"tags":[{"name":"OAuth"}],"servers":[{"url":"https://api.iyzipay.com"},{"url":"https://sandbox-api.iyzipay.com"}],"paths":{"/in-store/oauth2/authorize":{"post":{"tags":["OAuth"],"description":"This service starts the authorization step and generates an \"auth code\".\n\nFlow:\n1) A request is sent to this service with a form-urlencoded body.\n2) The \"code\" value in the response is received.\n3) The received \"code\" value is used in the \"Get Token with Auth Code\" service to generate a token.\n","requestBody":{"required":true,"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/OAuthAuthorizeRequest"}}}},"responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthAuthorizeResponse"}}}},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthAuthorizeErrorResponse"}}}}}}}},"components":{"schemas":{"OAuthAuthorizeRequest":{"type":"object","required":["scope","client_id","client_secret","response_type","username","password","request_timestamp"],"properties":{"scope":{"type":"string","description":"Default value: iyzipayApiGateway","enum":["iyzipayApiGateway"]},"client_id":{"type":"string","description":"Merchant-specific client_id value provided by iyzico."},"client_secret":{"type":"string","description":"Merchant-specific client secret value generated by iyzico."},"response_type":{"type":"string","description":"Default value: code","enum":["code"]},"username":{"type":"string","description":"Username"},"password":{"type":"string","description":"User password"},"request_timestamp":{"type":"string","description":"Unix timestamp value of the relevant request."}}},"OAuthAuthorizeResponse":{"type":"object","properties":{"code":{"type":"string","description":"Auth Code"},"issuedAt":{"type":"string","description":"Transaction date"},"expiredAt":{"type":"string","description":"Transaction validity date"}}},"OAuthAuthorizeErrorResponse":{"type":"object","properties":{"errorCode":{"type":"string","description":"Error Code"},"description":{"type":"string","description":"Error Description"},"uri":{"type":"string","description":"Returned in some cases"}}}}}}
```
### Sample Collection
### Get Token with Auth Code / Refresh Token
## POST /in-store/oauth2/token
> This service generates access\_token and refresh\_token using the auth code.\
> \
> Authorization (Basic Auth):\
> \- Username: client\_id\
> \- Password: client\_secret\
> Header format:\
> Authorization: Basic base64(client\_id:client\_secret)\
> \
> Flow (Auth Code):\
> 1\) The "code" returned from /authorize call is retrieved.\
> 2\) It is sent to this service with a form-urlencoded body:\
> \- grant\_type=authorization\_code\
> \- code={authCode}\
> 3\) From the response:\
> \- access\_token: Used as Bearer Token in Terminal Host services.\
> \- refresh\_token: Stored for token renewal.\
> \- expires\_in: access\_token validity period (seconds).
```json
{"openapi":"3.0.3","info":{"title":"Terminal API – Outside Flow","version":"1.0.3"},"tags":[{"name":"OAuth"}],"servers":[{"url":"https://api.iyzipay.com"},{"url":"https://sandbox-api.iyzipay.com"}],"security":[{"BasicAuth":[]}],"components":{"securitySchemes":{"BasicAuth":{"type":"http","scheme":"basic","description":"Authorization with Basic Auth.\nPostman Basic Auth fields:\n- Username: client_id\n- Password: client_secret\n\nHTTP header equivalent:\nAuthorization: Basic base64(client_id:client_secret)\n"}},"schemas":{"OAuthTokenRequestAuthCode":{"type":"object","required":["grant_type","code"],"description":"Generates a JWT token using the Authorization Code. Basic Auth is performed with client_id and client_secret.","properties":{"grant_type":{"type":"string","description":"Transaction type for token generation","enum":["authorization_code","refresh_token"]},"code":{"type":"string","description":"authCode value generated during the authorization step."}}},"OAuthTokenRequestRefresh":{"type":"object","required":["grant_type","refresh_token"],"description":"Generates a JWT token using the Refresh Token. Basic Auth is performed with client_id and client_secret.","properties":{"grant_type":{"type":"string","description":"Transaction type for token generation","enum":["authorization_code","refresh_token"]},"refresh_token":{"type":"string","description":"Refresh token value to be used for token renewal."}}},"OAuthTokenResponse":{"type":"object","properties":{"access_token":{"type":"string","description":"Access Token Value"},"refresh_token":{"type":"string","description":"Refresh Token Value"},"scope":{"type":"string","description":"Default Scope Value","enum":["iyzipayApiGateway"]},"token_type":{"type":"string","description":"Token type used in authorization"},"expires_in":{"type":"integer","format":"int32","description":"Validity period in seconds."}}},"OAuthSimpleError":{"type":"object","properties":{"error":{"type":"string"}}}}},"paths":{"/in-store/oauth2/token":{"post":{"tags":["OAuth"],"description":"This service generates access_token and refresh_token using the auth code.\n\nAuthorization (Basic Auth):\n- Username: client_id\n- Password: client_secret\nHeader format:\nAuthorization: Basic base64(client_id:client_secret)\n\nFlow (Auth Code):\n1) The \"code\" returned from /authorize call is retrieved.\n2) It is sent to this service with a form-urlencoded body:\n - grant_type=authorization_code\n - code={authCode}\n3) From the response:\n - access_token: Used as Bearer Token in Terminal Host services.\n - refresh_token: Stored for token renewal.\n - expires_in: access_token validity period (seconds).\n","requestBody":{"required":true,"content":{"application/x-www-form-urlencoded":{"schema":{"oneOf":[{"$ref":"#/components/schemas/OAuthTokenRequestAuthCode"},{"$ref":"#/components/schemas/OAuthTokenRequestRefresh"}]}}}},"responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthTokenResponse"}}}},"400":{"description":"Bad Request","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthSimpleError"}}}},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthSimpleError"}}}}}}}}}
```
## Get Token with Refresh Token
> This service generates a new access\_token using the refresh\_token (token renewal).\
> \
> Authorization (Basic Auth):\
> \- Username: client\_id\
> \- Password: client\_secret\
> Header format:\
> Authorization: Basic base64(client\_id:client\_secret)\
> \
> Flow:\
> 1\) The "refresh\_token" received from the previous token call is stored.\
> 2\) It is sent to this service with a form-urlencoded body:\
> \- grant\_type=refresh\_token\
> \- refresh\_token={refresh\_token}\
> 3\) The new access\_token is received from the response and used in Terminal Host services.
```json
{"openapi":"3.0.3","info":{"title":"Terminal API – Outside Flow","version":"1.0.3"},"tags":[{"name":"OAuth"}],"servers":[{"url":"https://api.iyzipay.com"},{"url":"https://sandbox-api.iyzipay.com"}],"security":[{"BasicAuth":[]}],"components":{"securitySchemes":{"BasicAuth":{"type":"http","scheme":"basic","description":"Authorization with Basic Auth.\nPostman Basic Auth fields:\n- Username: client_id\n- Password: client_secret\n\nHTTP header equivalent:\nAuthorization: Basic base64(client_id:client_secret)\n"}},"schemas":{"OAuthTokenRequestRefresh":{"type":"object","required":["grant_type","refresh_token"],"description":"Generates a JWT token using the Refresh Token. Basic Auth is performed with client_id and client_secret.","properties":{"grant_type":{"type":"string","description":"Transaction type for token generation","enum":["authorization_code","refresh_token"]},"refresh_token":{"type":"string","description":"Refresh token value to be used for token renewal."}}},"OAuthTokenResponse":{"type":"object","properties":{"access_token":{"type":"string","description":"Access Token Value"},"refresh_token":{"type":"string","description":"Refresh Token Value"},"scope":{"type":"string","description":"Default Scope Value","enum":["iyzipayApiGateway"]},"token_type":{"type":"string","description":"Token type used in authorization"},"expires_in":{"type":"integer","format":"int32","description":"Validity period in seconds."}}},"OAuthSimpleError":{"type":"object","properties":{"error":{"type":"string"}}}}},"paths":{"/in-store/oauth2/token/refresh":{"post":{"tags":["OAuth"],"summary":"Get Token with Refresh Token","description":"This service generates a new access_token using the refresh_token (token renewal).\n\nAuthorization (Basic Auth):\n- Username: client_id\n- Password: client_secret\nHeader format:\nAuthorization: Basic base64(client_id:client_secret)\n\nFlow:\n1) The \"refresh_token\" received from the previous token call is stored.\n2) It is sent to this service with a form-urlencoded body:\n - grant_type=refresh_token\n - refresh_token={refresh_token}\n3) The new access_token is received from the response and used in Terminal Host services.\n","requestBody":{"required":true,"content":{"application/x-www-form-urlencoded":{"schema":{"$ref":"#/components/schemas/OAuthTokenRequestRefresh"}}}},"responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthTokenResponse"}}}},"401":{"description":"Unauthorized","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthSimpleError"}}}}}}}}}
```
### Sample Collection