> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thanx.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Access Token

<Info>
  Scope required: `auth.create`
</Info>

This endpoint allows for the programmatic generation of an API access token
for a given user. This access token can then be used with the
[Consumer API](/consumer/overview) or the [Loyalty API](/loyalty/overview).

Programmatic generation of access tokens on behalf of users is designed to
support integration partners using custom authentication mechanisms. This
allows for generation of access tokens that can be used with either the
[consumer](/consumer/overview) or [loyalty](/loyalty/overview) APIs depending
on the integration use-case. This enables integration partners to have complete
flexibility in their management of user authentication - using
[Thanx Auth](/consumer/sso/overview), a self-hosted authentication
implementation, or a third-party authentication provider.

### Parameters

<ParamField path="merchant_id" type="string" required>
  Merchant ID
</ParamField>

<ParamField path="user_id" type="string">
  Thanx User ID. One of `user_id`, `email`, or `phone` must be specified.
</ParamField>

<ParamField path="email" type="string">
  Email address. One of `user_id`, `email`, or `phone` must be specified.
</ParamField>

<ParamField path="phone" type="string">
  Phone number in [E.164 format](https://www.twilio.com/docs/glossary/what-e164)
  (e.g. `+14155551212`). One of `user_id`, `email`, or `phone` must be
  specified.
</ParamField>

<ParamField path="expires_in" type="integer">
  The number of seconds after which this access token will expire. Defaults to
  no expiration for integrations that require long-lived access tokens. If your
  integration does not require long-lived access tokens, we highly recommend
  this value to be specified. The allowed values are between 60s and 3600s
  (1 hour).
</ParamField>

<Warning>
  Phone numbers must be in E.164 format with the country code prefix
  (e.g. `+14155551212`). For US numbers and US territories, the prefix is
  `+1`, including Puerto Rico (787/939), USVI (340), Guam (671),
  Northern Mariana Islands (670), and American Samoa (684). Numbers
  without the country code prefix may be parsed as international and return
  `Unknown user`.
</Warning>

<Note>
  Besides phone formatting (above), `Unknown user` is also returned when the user
  does not exist on Thanx, or exists but is **not an enrolled loyalty member at
  this merchant** (a marketing subscriber is not sufficient). Enroll the user with
  [`POST /users`](/consumer/users/create-user) first, then retry.
</Note>

### Response

<ResponseField name="access_token" type="string">
  The user's access token, for use in accessing the [Consumer API](/consumer/overview)
</ResponseField>

<ResponseField name="token_type" type="string">
  The type of token, "Bearer"
</ResponseField>

<ResponseField name="scope" type="string">
  The API scopes granted to the access token
</ResponseField>

<ResponseField name="created_at" type="integer">
  The number of seconds since the epoch
</ResponseField>

<ResponseField name="expires" type="integer">
  The number of seconds after which this access token will expire
</ResponseField>

<RequestExample>
  ```bash Email theme={null}
  curl -X POST \
    -H 'X-ClientId: ${client_id}' \
    -H 'Accept-Version: v4.0' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer ${access_token}' \
    https://api.thanxsandbox.com/partner/oauth/token \
    -d '{
      "merchant_id": "k2lye10h32l5wzo",
      "email": "example@example.com",
      "expires_in": 3600
    }'
  ```

  ```bash Phone (E.164) theme={null}
  curl -X POST \
    -H 'X-ClientId: ${client_id}' \
    -H 'Accept-Version: v4.0' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer ${access_token}' \
    https://api.thanxsandbox.com/partner/oauth/token \
    -d '{
      "merchant_id": "k2lye10h32l5wzo",
      "phone": "+17875551212",
      "expires_in": 3600
    }'
  ```
</RequestExample>

<ResponseExample>
  ```json Response Example theme={null}
  {
    "access_token": "945148251b603ae34561d90acfe4050e67494d6d1e65d4d3d52798407f03c0bd",
    "token_type": "Bearer",
    "scope": "passwordless",
    "created_at": 1577836800,
    "expires_in": 3600
  }
  ```
</ResponseExample>
