This page describes two ways to request an authentication token and two ways to present the token for authorization.

Requesting Tokens

Requesting Tokens Using The API

COS uses OpenID Connect and OAuth 2.0 for authentication and authorization. Before you can use the API, you must obtain an access token using the client_id and client_secret provided to you. Once a token has been obtained, it must be passed in the Authorization header of each request to the API.

To request a token send a POST to our auth server containing the client ID and client secret provided.

"header": 'content-type: application/json`,
"client_id":"[your id here]",
"client_secret":"[your secret here]",

Here's a cURL example for the token request:

curl --location --request POST '' \
--header 'Content-Type: application/json' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[your id here]' \
--data-urlencode 'client_secret=[your secret here]' \
--data-urlencode 'audience='

Here's what a successful response looks like:

    "access_token": "xxxxx",
    "expires_in": 86400,
    "token_type": "Bearer"

Requesting Tokens Using Explorer

Go into the Explorer, click the arrow down next your login, and click Copy Access Token.
The access token is copied to your clipboard and ready for use.


Presenting Tokens

Presenting Tokens in the Request Header

In the header of each API request, the access token obtained should be included as follows:

Authorization: Bearer [your token here]

Here's an example of a cURL for a wire payment request:

curl --location --request POST '' \
--header 'Authorization: Bearer your token here' \
--header 'Content-Type: application/json' \
--data-raw '{
  "accountNumber": "2255685659",
  "businessFunctionCode": "CTR",
  "receiverRoutingNumber": "021000021",
  "beneficiaryFi": {
    "idCode": "F",
    "identifier": "021000021",
    "name": "JP Morgan Chase"
  "beneficiary": {
    "idCode": "D",
    "identifier": "123456789",
    "name": "Peter Griffin"
  "beneficiaryReference": "XYZ123",
  "amount": 10000,
  "purpose": "payment"

Presenting Tokens in Swagger

In the top of the swagger screen, paste the token from the clipboard into the token field and click Explore. The token is now activated.

1877 1877


Token Expiration

The access token should be stored and used until it expires. The token response you receive specifies the expiration time in seconds. Do not request a new token for every API request. It is recommended you use the current token until you receive a 401 unauthorized error, at which point you would request a new token.