Login

User Authentication and Authorization Initialization

post

/in-store/oauth2/authorize

This service starts the authorization step and generates an "auth code".

Flow:

A request is sent to this service with a form-urlencoded body.
The "code" value in the response is received.
The received "code" value is used in the "Get Token with Auth Code" service to generate a token.

Body

scopestring · enumRequired

Default value: iyzipayApiGateway

Possible values:

client_idstringRequired

Merchant-specific client_id value provided by iyzico.

client_secretstringRequired

Merchant-specific client secret value generated by iyzico.

response_typestring · enumRequired

Default value: code

Possible values:

usernamestringRequired

Username

passwordstringRequired

User password

request_timestampstringRequired

Unix timestamp value of the relevant request.

Responses

200

Success

application/json

codestringOptional

Auth Code

issuedAtstringOptional

Transaction date

expiredAtstringOptional

Transaction validity date

401

Unauthorized

application/json

post

/in-store/oauth2/authorize

POST /in-store/oauth2/authorize HTTP/1.1
Host: api.iyzipay.com
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 188

"scope='iyzipayApiGateway'&client_id='client_id'&client_secret='client_secret'&response_type='code'&username='username'&password='password'&request_timestamp='1755677361682'"

{
  "code": "O6C8tPb0iHee-V_2Kr1stc3AGNzCMziBHjeEmQSgkz7nGuEMeu01ZfvkJSRIEpW0RbtooPNX1YRw_4cGaxVD6ENXPjc01IrnO-REiuzkvjdeYOXDclwZMx-KlJU8rC3n",
  "issuedAt": "2025-12-25T14:05:49.379055098+03:00",
  "expiredAt": "2025-12-25T14:15:49.379055098+03:00"
}

Sample Collection

Postman

Get Token with Auth Code / Refresh Token

post

/in-store/oauth2/token

This service generates access_token and refresh_token using the auth code.

Authorization (Basic Auth):

Username: client_id
Password: client_secret Header format: Authorization: Basic base64(client_id:client_secret)

Flow (Auth Code):

The "code" returned from /authorize call is retrieved.
It is sent to this service with a form-urlencoded body:
- grant_type=authorization_code
- code={authCode}
From the response:
- access_token: Used as Bearer Token in Terminal Host services.
- refresh_token: Stored for token renewal.
- expires_in: access_token validity period (seconds).

Authorizations

AuthorizationstringRequired

Authorization with Basic Auth. Postman Basic Auth fields:

Username: client_id
Password: client_secret

HTTP header equivalent: Authorization: Basic base64(client_id:client_secret)

Body

Responses

200

Success

application/json

access_tokenstringOptional

Access Token Value

refresh_tokenstringOptional

Refresh Token Value

scopestring · enumOptional

Default Scope Value

Possible values:

token_typestringOptional

Token type used in authorization

expires_ininteger · int32Optional

Validity period in seconds.

400

Bad Request

application/json

401

Unauthorized

application/json

post

/in-store/oauth2/token

POST /in-store/oauth2/token HTTP/1.1
Host: api.iyzipay.com
Authorization: Basic username:password
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 57

"grant_type='authorization_code'&code='{{authCode}}'"

{
  "access_token": "eyJraWQiOiI4M2Q0NDExYy05M2EzLTRiOWQtOGUwYi0xM2JjZGYxMGZmNTYiLCJhbGciOiJSUzI1NiJ9.example",
  "refresh_token": "HKi_OISDcC451HdL90Nb2FzGrrjFEKzOQCSr3dgYRbe76OCi5zRr7dXaVmCTqTPDnqFdSP-example",
  "scope": "iyzipayApiGateway",
  "token_type": "Bearer",
  "expires_in": 7199
}

Get Token with Refresh Token

post

/in-store/oauth2/token/refresh

This service generates a new access_token using the refresh_token (token renewal).

Authorization (Basic Auth):

Username: client_id
Password: client_secret Header format: Authorization: Basic base64(client_id:client_secret)

Flow:

The "refresh_token" received from the previous token call is stored.
It is sent to this service with a form-urlencoded body:
- grant_type=refresh_token
- refresh_token={refresh_token}
The new access_token is received from the response and used in Terminal Host services.

Authorizations

AuthorizationstringRequired

Authorization with Basic Auth. Postman Basic Auth fields:

Username: client_id
Password: client_secret

HTTP header equivalent: Authorization: Basic base64(client_id:client_secret)

Body

Generates a JWT token using the Refresh Token. Basic Auth is performed with client_id and client_secret.

grant_typestring · enumRequired

Transaction type for token generation

Possible values:

refresh_tokenstringRequired

Refresh token value to be used for token renewal.

Responses

200

Success

application/json

access_tokenstringOptional

Access Token Value

refresh_tokenstringOptional

Refresh Token Value

scopestring · enumOptional

Default Scope Value

Possible values:

token_typestringOptional

Token type used in authorization

expires_ininteger · int32Optional

Validity period in seconds.

401

Unauthorized

application/json

post

/in-store/oauth2/token/refresh

POST /in-store/oauth2/token/refresh HTTP/1.1
Host: api.iyzipay.com
Authorization: Basic username:password
Content-Type: application/x-www-form-urlencoded
Accept: */*
Content-Length: 66

"grant_type='refresh_token'&refresh_token='{{refresh_token}}'"

{
  "access_token": "eyJraWQiOiI4M2Q0NDExYy05M2EzLTRiOWQtOGUwYi0xM2JjZGYxMGZmNTYiLCJhbGciOiJSUzI1NiJ9.example",
  "refresh_token": "QHKi_OISDcC451HdL90Nb2FzGrrjFEKzOQCSr3dgYRbe76OCi5zRr7dXaVmCTqTPDnqFdSP-example",
  "scope": "iyzipayApiGateway",
  "token_type": "Bearer",
  "expires_in": 7199
}

Sample Collection

Auth Code

Refresh Token

PreviousTerminal API Integration NextPayment and Transaction Services

Last updated 19 minutes ago

hashtagUser Authentication and Authorization Initialization

hashtagSample Collection

hashtagGet Token with Auth Code / Refresh Token

hashtagGet Token with Refresh Token

hashtagSample Collection

User Authentication and Authorization Initialization

Sample Collection

Get Token with Auth Code / Refresh Token

Get Token with Refresh Token

Sample Collection