New Airwallex customers

To onboard new customers who will be registering for an Airwallex account to leverage the integration, you can incorporate a "Sign up Airwallex Account" button within your user interface. By including a sign_up parameter in the URL listed below, users can seamlessly navigate through the account sign-up process and OAuth flow in a single, streamlined flow.

https://airwallex.com/oauth/authorize?response_type=code&client_id=YOUR_CLIENTID&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_SCOPES&sign_up=true

Fill in details to sign up a new Airwallex account

Proceed with 2FA verification

Specify the intended use of Airwallex account

Upon successful account creation, users are seamlessly directed to OAuth authorization

Once a user grants you access to their account, you can redirect the user back to your website and initiate subsequent tasks such as:

• Invoking KYC/KYB flow using Airwallex embedded components
• Completing other required workflows on partner website

After successfully acquiring the authorisation code, your application should exchange the authorisation code back to Airwallex OAuth server for a refresh and access token.

Note that YOUR_REDIRECT_URI must match the one that was used to obtain the AUTH_CODE in the previous step.

If the AUTH_CODE is valid, you will receive a refresh and access token. The refresh token is long-lived (valid for 60 days). You should store this securely in a database for refreshing your access token later. The access token is short-lived (valid for 5 minutes) and should be used in each session where you call the Airwallex API on behalf of authorised accounts.

To use the access token, pass the access token value in the Authorization header of requests each time your application calls an API. The value should always be: Authorization: Bearer {AccessToken}. For example, you can now call the GET /api/v1/account/ endpoint to obtain details about the account that was just connected.

As the access token is short-lived, you will need to obtain new access tokens to continue accessing the Airwallex APIs across sessions. To do so, use the latest refresh token value from your previous call to /oauth/token/.

This will give you a new access token and refresh token. You should replace the previously-stored refresh token value with the new one. Note that the previous refresh token remains valid for 1 minute after the issuance of the new one. In case of any unexpected errors, such as a network outage, you can use the old refresh token to request new access and refresh tokens.

Do not attempt to use old refresh tokens to obtain a new access token. Doing so will cause the connection to be invalidated, as Airwallex interprets that as a potential signal that your refresh tokens were leaked or compromised by a third party.

Access tokens may become invalid under the following circumstances:

• Expiration: If the access token expires, utilise your refresh token to renew it.
• User Revocation: In the event that a user disconnects their Airwallex account from your application, both the access token and refresh token are invalidated. In such cases, it is necessary to prompt your users to initiate the authorisation flow once again.