Access Token with READ access scope Permission

Hi everyone,

I’ve been working on a script using the Revolut Sandbox to retrieve an access token. My goal is to use the “READ” scope for permission in the refresh token. Here’s the script I have so far:

def get_auth_token(code, jwt_value):
    """Get the auth token from the Revolut API."""
    url = os.getenv('API_ENDPOINT') + "/auth/token"
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    data = {
        'grant_type': 'authorization_code',
        'code': code,
        'client_id': os.getenv('CLIENT_ID'),
        'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
        'client_assertion': jwt_value,
        'scope': 'READ'
    }
    return requests.post(url, headers=headers, data=data).json()

This script successfully gives me the access token. However, when I try to perform a payment in the Sandbox, it goes through successfully, which shouldn’t happen with the “READ” scope. According to the documentation, with the “READ” scope, I should only be able to perform GET requests, not POST or DELETE.

Am I missing something in the creation of the JWT or the certificate? Any help or pointers on this topic would be greatly appreciated.

Thanks!

3 Likes

Hi @Lucianogjinaj and welcome to the Community! :wave:

The scope is not defined in the token API call, but in the UI after you click on “Enable access”. You can customise the permissions by adding the parameter &scope=READ in the URL.

For example:
https://sandbox-business.revolut.com/app-confirm?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=READ

I hope that helps.

3 Likes