KYC Account Opening

Client-Side (Implicit) Flow

If you are building an app that does not have a server component, you’ll notice that it’s impossible to complete step three above to receive your access_token without also having to ship your client secret. You should never ship your client secret onto devices you don’t control. Then how do you get an access_token? Well the smart folks in charge of the OAuth 2.0 spec anticipated this problem and created the Implicit Authentication Flow.

Step 1. Direct users to the authorization endpoint

The only difference from the server-side flow is that the response_type is token.

The endpoint to be used for your app is available at the bottom of the app details page.


Authorization Endpoint

HTTP Request Method



Name Required Description


The client identifier received during app registration. It is automatically generated and located in your application dashboard.



Where the user gets redirected after an authorizing an app. Set by the developer within the application dashboard.






A parameter that defines the group affiliation you are requesting permission to access.

Possible values:
  • kyc
Note: Your account must first be set up with policies to enable these scopes to be accepted.

Contact if you are receiving errors regarding an invalid scope.


Step 2. Receive the access token

Once the user has authenticated and authorized your app, we’ll redirect them to your redirect_uri with the access_token in the url fragment.

Redirect URI with access token

Simply grab the access_token off of the URL fragment and you’re good to go. If the user chooses not to grant access to your app, you will receive an error response. See error examples here.