Obtaining an application access token

The client credentials flow is used when an application needs to obtain permission to act on its own behalf. An application will exchange it’s client_id, client_secret, and grant_type=client_credentials for an application access token. An application access token can then be used to make calls to the Kopo Kopo API on behalf of the application, for example, when you create a webhook subscription, retrieve events, and list webhooks fired to a subscribed webhook endpoint, initiate transfers and initiate incoming payments to name some. Note that you cannot access any K2Connect API endpoint without a valid access token. Access tokens are granted with a life time of 1 hour (3600s). It is your responsibility to manage tokens on your end and get a new token upon expiry of a token. K2Connect does not make use of refresh tokens.

Request application authorization

The client credentials flow is the simplest OAuth 2 grant, with a server-to-server exchange of your application’s client_id, client_secret for an OAuth application access token. In order to execute this flow, you will need to make an HTTP request from your application server, to the Kopo Kopo authorization server.

HTTP request


Including the Content-Type: application/x-www-form-urlencoded header, the request is sent to the token endpoint with the following form-encoded parameters:

Request parameters
client_idyesstringApplication key. Navigate to (production) or (Sandbox) for your application key
client_secretyesstringApplication secret. Navigate to (production) or (Sandbox) for your application secret.
grant_typeyesstringThis must be set to client_credentials.

Example request

Content-Type: application/x-www-form-urlencoded

import k2connect

k2connect.initialize(CLIENT_ID, CLIENT_SECRET, BASE_URL)
token_service = k2connect.Tokens

# request the access token
access_token_request = token_service.request_access_token()

# get access token
access_token = token_service.get_access_token(access_token_request)
const options = {
  clientId: "YOUR_CLIENT_ID",
  clientSecret: "YOUR_CLIENT_SECRET",
  apiKey: "YOUR_API_KEY",
  baseUrl: "",

//Including the kopokopo module
var K2 = require("k2-connect-node")(options);

const TokenService = K2.TokenService;

  .then((response) => {
    //Developer can decide to store the token_details and track expiry
  .catch((error) => {
k2_token =, CLIENT_SECRET)
access_token = k2_token.request_token
//Including the kopokopo sdk
use Kopokopo\SDK\K2;

// Do not hard code these values
$options = [
    'clientId' => 'YOUR_CLIENT_ID',
    'clientSecret' => 'YOUR_CLIENT_SECRET',
    'apiKey' => 'YOUR_API_KEY',
    'baseUrl' => ''

$K2 = new K2($options);

$tokens = $K2->TokenService();

// Use the service
$result = $tokens->getToken();
if($result['status'] == 'success'){
    $data = $result['data'];
    echo "My access token is: ".$data['accessToken'];
    echo "It expires in: ".$data['expiresIn'];

Refreshing an application access token

A refresh token is not paired with an application access token, therefore in order to refresh authorization you’ll simply request a new application access token by exchanging your client credentials (as shown above). It is your responsibility to manage your tokens and request for a new token upon token expiry.

That’s it! You’re ready to start making requests to the Kopo Kopo API on behalf your application.