Understanding OAuth 2.0 Working with our products


Access to all MTN APIs is based on the OAuth 2.0 framework, so developers are required to obtain an OAuth access token in order to make successful API calls. To obtain an OAuth access token, a developer shall register their app and obtain Consumer Key and Consumer Secret. 
These are the values now labelled Production key and secret in the current dev-portal.  


To retrieve an OAuth access token, a request to the token endpoint will be made using the Consumer Key and Secret, and specifying the "client credentials" grant type. The sequence diagram below illustrates the implemented flow.

OAuth Flow


Get Access Token


The first action is to get an access token. This requires calling the token endpoint using your App credentials--the consumer key and secret that are generated when registering the App. The endpoint that is called is:


https://api.mtn.com/v1/oauth/access_token


And it can be called as follows:


curl -X POST -H "Content-Type: application/x-www-form-urlencoded" https://api.mtn.com/v1/oauth/access_token?grant_type=client_credentials -d 'client_id={consumer-key}&client_secret={consumer-secret}'


After firing the request above, a successful response should look like the one below.


HTTP/1.1 200 OK


Content-Type: application/json

{ "refresh_token_expires_in": "0", "api_product_list": "[MTN Customer Plans API v2, Payment_Staging]", "api_product_list_json": [ "MTN Customer Plans API v2", "Payment_Staging" ], "organization_name": "mtn-prod", "developer.email": "nerd@mtn.com", "token_type": "BearerToken", "issued_at": "1611316770076", "client_id": "xNnREu1DNGfiwzQZ5HUN8IAUwZSW1rtp", "access_token": "GTPY9VUHCqKVMRB0cHxnmAp0utR0", "application_name": "716bbe61-f14a-4e45-9b56-a62ff8e0d347", "scope": "", "expires_in": "3599", "refresh_count": "0", "status": "approved" }

Make an API call


From the response returned when calling the token endpoint, the access_token must be extracted and used to make an API call. It's mandatory that the access token be used as the header Authorization parameter.


Header Authorization parameter:


Authorization: Bearer GTPY9VUHCqKVMRB0cHxnmAp0utR0


Using the OAuth access token, an API call to our subscription API would look like:


curl https://api.mtn.com/customers/27811111111/subscriptions -H "Authorization: Bearer {access_token}"