# JPMC-PDP Documentation from https://developer.payments.jpmorgan.com

# Integration guide

Use this guide to onboard your organization and applications to J.P. Morgan Business Direct Connect.

To complete the onboarding process, follow these steps:

1. Onboard your organization in the UAT (test) environment

2. Onboard your application in the UAT environment

3. Establish connectivity and invoke APIs

4. Obtain user consent

5. Exchange the authorization code for access, refresh, and ID tokens

6. Manage the access and refresh token lifecycle

The lower environment used to test your integration is the UAT (pre-production or test). It is functionally equivalent to production. New functionality is introduced in UAT and promoted to production after validation. 

After onboarding is complete and you have valid access token, your application can connect to J.P. Morgan Digital Banking accounts.

Use these sections to initiate onboarding for your organization and applications. The process is the same for both UAT (test) and production environments. Submit separate requests for each environment.

## 1. Onboard your organization into the UAT environment

Register your organization as a partner with Business Direct Connect. This partner construct represents your company and serves as the parent entity for all registered applications.

Send the required information to your assigned J.P. Morgan integration team. After registration is complete, you can [modify your registration request](/docs/treasury/jp-morgan-business-direct-connect/integration-guide#modify-an-existing-registration) as needed.

### Partner registration

To initiate onboarding, provide these details:

- A JSON-formatted registration request using the partner onboarding template:
  - Replace partnerName with your firm’s name in all caps with no spaces, as specified in the partnerName field.
  - Replace the date suffix with the date the file is generated. Refer to Partner onboarding template table for field descriptions.

- A 30x30 logo file in PNG format. This logo is displayed to the end user during the consent flow.
  - Name the file using this format: partner_partnerName_yyyymmdd.png.
  - partnerName should match the value used in the registration request.
  - The date suffix should be the date the file was generated in yyyymmdd format.

- A set of IP addresses to be allowlisted in Classless Inter-Domain Routing (CIDR) notation for access to the UAT environment only (Production IPs do not need to be allowlisted):
  - IP addresses used to access FDX APIs.
  - IP addresses used to request access tokens.
  - IP addresses for user machines initiating the consent workflow in a browser.

### Modify an existing registration

To modify, delete, or reactivate an existing registration, submit a JSON-formatted request using the partner onboarding template.

- Specify the desired action in the action field.

- All fields must be specified, and partnerName must match the previously provided value.

- For a MODIFY request, the newly provided values will override the previous values. partnerName cannot be modified.

- The DELETE action will deactivate the partner record. All related application records are also deactivated.

- To reactivate a deleted partner, specify the action as REACTIVATE. The applications will need to be re-registered or reactivated, and the user must provide fresh consent.

### Create a partner onboarding request

The partner onboarding table describes the fields included in the partner onboarding request. Save this template as a file and email it to your J.P. Morgan integration team at [JPMorgan_Corporate_FDX_Support@jpmorgan.com](mailto:JPMorgan_Corporate_FDX_Support@jpmorgan.com).

- Name the file using this format: partner_<partnerName>_<yyyymmdd>.json.

- Update the attributes according to the partner onboarding instructions table.

- The date suffix should be the date the file was generated, in yyyymmdd format.

Use the partner onboarding template as a reference to construct your request.

**Partner onboarding template**

```json
{
  "action": "NEW",
  "partnerName": "Unique name in all CAPS with no spaces used to identify the partner records",
  "partnerDisplayName": "Partner name as displayed to the end user",
  "partnerShortName": "Shortened partner name for space constrained displays",
  "requiredPermissions": [
    "ACCOUNT_BASIC",
    "ACCOUNT_DETAILED",
    "TRANSACTIONS",
	"PAYMENT_SUPPORT",
	"STATEMENTS",
	"CUSTOMER_CONTACT"
  ],
  "supportedAccountDomiciles":[
    "US"
  ],
  "contactEmail": "test@amzn.com",
  "reason": "New partner",
  "certificate":"<full leaf certificate from BEGIN CERTIFICATE to END CERTIFICATE>",
  "_version": "3.0"
}
```

**Partner onboarding instructions**

 
**Partner onboarding template instructions**

| Field name | Description | 
| --- | --- | 
| action | Specify NEW, MODIFY, DELETE, or REACTIVATE. | 
| partnerName | Provide a unique name for the partner, in all caps without spaces. | 
| partnerDisplayName | Provide the full name displayed to the end user. | 
| partnerShortName | Provide the shortened display name displayed to the end user in space-constrained displays. | 
| requiredPermissions | Provide a list of data clusters: - ACCOUNT_BASIC - ACCOUNT_DETAILED - TRANSACTIONS - PAYMENT_SUPPORT, STATEMENTS - CUSTOMER_CONTACT | 
| supportedAccountDomiciles | Provide country codes, such as U.S. or UK, in ISO 3166 alpha 2-character format. | 
| contactEmail | Provide a secure email to receive onboarding information. | 
| reason | Provide a reason for the action, such as "New record," or "Updated permissions". | 
| Certificate | Certificate signed by a valid certificate authority (CA), generated for the given partner. The partner must follow their organizational procedure for requesting and retrieving a valid CA-signed certificate. For test partners in test environments, a self-signed certificate may be provided instead, as per the instructions below. Only the leaf certificate is needed; do not provide root or intermediate certificates. | 
| _version | Must match the version configured within FDX services. As of October 17, 2025, use 3.0 as the version. | 

## 2. Onboard your application in the UAT environment

To register your application, submit the required details to your integration team. You can update your registration after it is complete.

### Application registration

To register an application, provide these details:

- A JSON-formatted registration request using the application onboarding template.
  - Replace partnerName with your firm’s name in all caps without spaces, as noted in the template.
  - Replace appName with the name of the application in all caps without spaces, as noted in the template.
  - Replace the date suffix with the date the file is generated in yyyymmdd format.
  - Populate all fields within the template.
  - clientId must be provided, except for a new registration.
  - Required permissions for an application must be a subset of those for the partner.

- A 30x30 logo file in PNG format.
  - This logo is displayed to the end user during the consent flow.
  - Name the file using this format: application_PartnerName-ApplicationName_yyyymmdd.png.
  - partnerName and appName should match the values used in onboarding.
  - Replace the date suffix with the date the file was generated in yyyymmdd format.

Upon successful onboarding, `clientID` is generated for the registered application and sent to the contact email in the partner registration record. Any errors, clarifications, or exceptions are also sent to the same email address.

### Modify an existing application registration

To modify, delete, or reactivate a previously registered application, submit a JSON-formatted request using the application onboarding template. 

- Specify the desired action in the action field.

- All fields must be specified.·

- PartnerName, ClientId, and ApplicationName must match the previously provided values.

- For a MODIFY request, the newly provided values will override the previous values. PartnerName, ApplicationName, and ClientId cannot be modified.

- DELETE action will deactivate the application's record along with all associated consent records.

- To reactivate a deleted application, specify the action as REACTIVATE. The user must provide fresh consent.

- If an application is modified to update the RequiredPermissions, the original permissions continue to apply to existing consents. Updated permissions apply only to new consents.

### Create an application onboarding request

Use the application onboarding template as a reference to construct your request. Copy this to a file and email it to your J.P. Morgan integration support team.

Refer to the application onboarding template instructions to learn how to construct the request.

- Name the file using this format: application_PartnerName-ApplicationName_yyyymmdd.json.

- Update the attributes according to the instructions table.

- Replace the date suffix with the date the file was generated in yyyymmdd format.

**Application onboarding template**

```json
{
    "action": "NEW",
    "appName": "UNIQUE_APPLICATION_NAME_IN_ALL_CAPS_WITHOUT_SPACES",
    "clientId": "<PARTNERNAME-APPNAME>",
    "appDisplayName": "<application-display-name>",
    "appShortName": "<application-short-name>",
    "connectionType": "<AGG or DIRECT>",
    "partnerName": "<partner-name must match a valid partner name>",
    "redirectURIs": [
        "redirect URL 1",
        "redirect URL 2"
    ],
    "requiredPermissions": [
        "ACCOUNT_BASIC",
        "ACCOUNT_DETAILED",
        "TRANSACTIONS",
        "PAYMENT_SUPPORT",
        "STATEMENTS",
        "CUSTOMER_CONTACT"
    ],
    "supportedAccountDomiciles": [
        "US"
    ],
    "appMessage": "<app-message to display on the consent screen>",
    "reason": "New application",
    "_version": "3.0"
}
```

### Application onboarding template instructions

The application onboarding table describes the fields included in the application onboarding template:

 
**Application on-boarding template instructions**

| Field name | Description | 
| --- | --- | 
| action | Specify NEW, MODIFY, DELETE, REACTIVATE | 
| clientId | Provide the client identifier that was provided during the initial registration. Leave it blank for new registration. | 
| appName | Provide a unique application name in all caps without any spaces. | 
| appDisplayName | Provide the full name displayed to end users. | 
| appShortName | Provide a shortened display name for limited space. | 
| connectionType | Specify DIRECT or AGG. DIRECT implies it is your application. AGG implies it is a third-party application that is sourcing data through the partner. In the latter case, both partner and application logos are shown during consent. Otherwise, only the application logo is shown. | 
| partnerName | Provide the registered partner name. It must be in ALL CAPS without spaces. | 
| redirectURLs | Provide a list of URLs to redirect the user after consent. | 
| requiredPermissions | Provide a list of data clusters: - ACCOUNT_BASIC - ACCOUNT_DETAILED - TRANSACTIONS - PAYMENT_SUPPORT - STATEMENTS | 
| supportedAccountDomiciles | Provide country codes (in ISO 3166 alpha 2 -character format). | 
| appMessage | Provide freeform text to display to the end-user on the consent screen. | 
| reason | Provide a reason for the requested action, such as “New record”, or “Updated redirect URL”. | 
| _version | Provide the version. It must match the configured version in FDX services. It is set to 3.0 as of October 17, 2025. | 

## 3. Establish connectivity and invoke APIs

Use environment‑specific endpoints for consent (`authorization`), token operations (`exchange`, `refresh`, `revoke`), and the Data API. Align scope strings and JSON Web Token (JWT) audience values with the selected environment and include the required headers (`authorization`, `x‑fapi‑interaction-id`) in data calls .

### Production and UAT URLs

This table describes the URLs and endpoints used for connectivity and API operations in both UAT (pre-production) and production environments:

 
**Production and UAT URLs**

| URL type | UAT | Production | 
| --- | --- | --- | 
| Authorization | https://consent-uat.jpmorgan.com/app | https://consent.jpmorgan.com/app | 
| Access token issuance | https://login.test.jpmorgan.com/h2w-api/oauth2/token | https://login.jpmorgan.com/h2w-api/oauth2/token | 
| Access token reissuance using refresh token | https://login.test.jpmorgan.com/h2w-api/oauth2/token | https://login.jpmorgan.com/h2w-api/oauth2/token | 
| Revoke token | https://login.test.jpmorgan.com/h2w-api/oauth2/token/revoke | https://login.jpmorgan.com/h2w-api/oauth2/token/revoke | 
| Business Direct Connect Data API | https://api-test.payments.jpmorgan.com (Header, Authorization, x-fapi-interaction-id: <unique alphanumeric reference id>) | https://api.payments.jpmorgan.com/ (Header, Authorization :<Auth token string>, x-fapi-interaction-id: <unique alphanumeric reference id>) | 
| Digital banking | https://digital-banking-uat.jpmorgan.com/app | https://digital-banking.jpmorgan.com/app | 
| Consent management | https://digital-banking-uat.jpmorgan.com/app/settings/integrations/business-direct-connect | https://digital-banking.jpmorgan.com/app/settings/integrations/business-direct-connect | 

## 4. Obtain user consent

To obtain user consent, construct the authorization URL using the appropriate environment endpoints. 

 
**Obtain User Consent**

| Environment | URI | 
| --- | --- | 
| UAT | https://consent-uat.jpmorgan.com/app?client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&response_type=code&code_challenge=<code-generated-by-partner>&code_challenge_method=S256&scope= jpmc:uri:uat:payments:fdx:access | 
| Production | https://consent.jpmorgan.com/app?client_id=<client_id>&redirect_uri=<redirect_uri>&state=<state>&response_type=code&code_challenge=<code-generated-by-partner>&code_challenge_method=S256&scope= jpmc:uri:prod:payments:fdx:access | 

If the authorization URI is well formed and query parameters are valid, the user logs in, authenticates, and selects the accounts to share. After the user consents, the system sends the authorization code to the redirect URL:

`<redirect-uri>?client_id=<client id>&code=<auth_code>&iss=<issuer>&state=<state>&traceId=<Trace id>`

**Authorization URL parameters**

The authorization URL parameters table describes the parameters required to construct the authorization URL for user consent. It specifies which fields are mandatory and provides a brief description of each field.

 
**Authorization URL parameters**

| Field name | Mandatory | Description | 
| --- | --- | --- | 
| client_id | Yes | Client identifier provided during onboarding. | 
| redirect_uri | Yes | URL to which the user is redirected after consent is completed. Validation: The redirect_uri must be the one provided during onboarding | 
| state | No | A random string by the application. | 
| response_type | Yes | Specify code to request an authorization code. | 
| code_challenge | Yes | Temporary secret; base64URL encoded SHA256 hash. Must be 43–128 characters. | 
| code_challenge_method | Yes | Specify S256 | 
| scope | Yes | UAT: jpmc:uri:uat:payments:fdx:access Production: jpmc:uri:prod:payments:fdx:access | 

## 5. Token exchange and management

### Exchange authorization code for access, refresh, and ID tokens

Send a request to the token endpoint.

`<token endpoint URL>?client_id:<CLIENT_ID>&grant_type=authorization_code&code=`&code_verifier=<code_verifier>&redirect_uri=<https://redirect_uri>&client_assertion=<client_assertion>&client_assertion_type=<client_assertion_type>`

Header: `Content-Type: application/x-www-form-urlencoded'`

**Token exchange parameters**

This table describes the parameters required when exchanging an authorization token for access, refresh, and ID tokens. Each parameter must be included in the request to the token endpoint.

 
**Token exchange parameters table**

| Field name | Description | 
| --- | --- | 
| client_id | Client ID provided by us during onboarding. | 
| grant_type | Set the grant type to "authorization_code." | 
| code | Authorization code received from the consent flow. | 
| client_assertion | The client assertion is a JWT token signed with the application-specific private key. | 
| client_assertion_type | The client assertion type must be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer." | 
| redirect_uri | Redirect URI provided during onboarding. | 
| code_verifier | Randomly generated string, for example: sX2yD5hJD9a5xTwclSUZVhxF3j8VaV38Yu6NPqWzjYo. | 

The response returns the access token as shown in the sample response:

Sample response

```json
{
  "access_token": "eyJhbGciOiJFUzUxMiIsImtpZCI6ImUxMWQzMWU0LTdjODctNDdhNi1hOGJlLTIxMjIxZGUzZmJiMSIsInR5cCI6IkpXVCJ9.eyJhYWwiOjEsImF1ZCI6IkpQTVNNQVJUQUNDT1VOVFNJVC1KUE1TTUFSVEFDQ09VTlRTSVQiLCJhdWRpdFRyYWNraW5nSWQiOiIxYmFmNmY4My05MjNlLTQ5N2MtYmRkZS1kMDIxYjgwNTQ3MDgtNDY0MjM5IiwiYXV0aEdyYW50SWQiOiJCYjRxd29VZ2J3bmk3UlZteTgwZHV4YW4yclUiLCJhdXRoX2xldmVsIjowLCJhdXRoX3RpbWUiOjE3NTc0MzUyMjUsImNsaWVudF9pZCI6IkpQTVNNQVJUQUNDT1VOVFNJVC1KUE1TTUFSVEFDQ09VTlRTSVQiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiY3R4Ijp7ImVtYWlsIjoiYXNob2trdW1hci5zb2xhaXJhamErRkRYU0ExQGNoYXNlLmNvbSIsImZhbWlseV9uYW1lIjoiU29sYWlyYWphIiwiZ2l2ZW5fbmFtZSI6IkFzaG9rIiwibmFtZSI6IkFzaG9rIFNvbGFpcmFqYSIsInBob25lTnVtYmVyIjoiKzE4MDE4NjQ2MzEwIiwicm9sZXMiOlsiRENCX0FDQ09VTlRfVklTSUJJTElUWSIsIkRDQl9BQ0hfUFJPVEVDVElPTiIsIkRDQl9BRE1JTiIsIkRDQl9BTEVSVFNfTk9USUZJQ0FUSU9OUyIsIkRDQl9DSEVDS19QUk9URUNUSU9OIiwiRENCX0xPQU4iLCJEQ0JfUkVQT1JUSU5HIiwiRENCX1NUQVRFTUVOVFMiLCJEQ0JfV0lSRV9UUk5TIiwiTVlET0NTIiwiU0NIRExSIiwiVE5DIl0sInV1aWQiOiI5MDkwMDU5Mi03ZjUwLTRmNDYtOThjMS1mMjFhNDdiYTNjN2MifSwiZXhwIjoxNzU3NDM2MjA2LCJleHBpcmVzX2luIjo5MDAsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJpYXQiOjE3NTc0MzUzMDYsImlzcyI6Imh0dHBzOi8vbG9naW4udGVzdC5qcG1vcmdhbi5jb20vaDJ3LWFwaSIsImp0aSI6Ikc0UlZUVDFUOTZoM1RKM2kxdUNQbnpqbUZUUSIsIm5iZiI6MTc1NzQzNTMwNiwicmVhbG0iOiIvYWxwaGEiLCJyb2xlcyI6bnVsbCwic2NvcGUiOiJqcG1jOnVyaTpzaXQ6cGF5bWVudHM6ZmR4OmFjY2VzcyIsInN1YiI6ImNkMWI1NzJkLWVhMTYtNGVkNS04MmI5LWZjZjg0ZmFhZDExYyIsInN1Ym5hbWUiOiJjZDFiNTcyZC1lYTE2LTRlZDUtODJiOS1mY2Y4NGZhYWQxMWMiLCJ0b2tlbk5hbWUiOiJhY2Nlc3NfdG9rZW4iLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwidXNlcm5hbWUiOiIifQ.Ac8eIDCYwaZZ-Bq7BtAvbVkbp8yfaorPZCWHQXAB1-GgbfyDwiwJ0WkRiwGpxyc5tkcOJWqli-RwGL6ejPsmkUZoAT2k-cPst0M-XrmW6wrr9dB2sgKZgV2jHtGMKl6DBdrYXM_AqldYE9L67G9U-13BFLgUKp41P9Fva8aMxAO-z_Zg",
  "refresh_token": "eyJhbGciOiJFUzUxMiIsImtpZCI6ImUxMWQzMWU0LTdjODctNDdhNi1hOGJlLTIxMjIxZGUzZmJiMSIsInR5cCI6IkpXVCJ9.eyJhYWwiOjEsImFjciI6IjAiLCJhdF9oYXNoIjoiamdUbExuVzZRaTBmbURkclgxNi1pZyIsImF1ZCI6IkpQTVNNQVJUQUNDT1VOVFNJVC1KUE1TTUFSVEFDQ09VTlRTSVQiLCJhdWRpdFRyYWNraW5nSWQiOiIxYmFmNmY4My05MjNlLTQ5N2MtYmRkZS1kMDIxYjgwNTQ3MDgtNDY0MjQwIiwiYXV0aEdyYW50SWQiOiJCYjRxd29VZ2J3bmk3UlZteTgwZHV4YW4yclUiLCJhdXRoX2xldmVsIjowLCJhdXRoX3RpbWUiOjE3NTc0MzUyMjUsImNsaWVudF9pZCI6IkpQTVNNQVJUQUNDT1VOVFNJVC1KUE1TTUFSVEFDQ09VTlRTSVQiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiZXhwIjoxNzg4OTcxMzA2LCJleHBpcmVzX2luIjozMTUzNjAwMCwiZ3JhbnRfdHlwZSI6ImF1dGhvcml6YXRpb25fY29kZSIsImlhdCI6MTc1NzQzNTMwNiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi50ZXN0LmpwbW9yZ2FuLmNvbS9oMnctYXBpIiwianRpIjoiUkhXM2NzYTgwOFRIUGU5Q0VQYnJQQjVDb0lBIiwibmJmIjoxNzU3NDM1MzA2LCJvcHMiOiJyZVpPbWUrcG1sVEJNdXdPOFJmU2swZENOakI4K3FQZ1pHRzYxbE1ObjlZPSIsInJlYWxtIjoiL2FscGhhIiwicm9sZXMiOm51bGwsInNjb3BlIjoianBtYzp1cmk6c2l0OnBheW1lbnRzOmZkeDphY2Nlc3MiLCJzaWQiOiJRQis2R1diR0lEcG9jdHJsQXBzampXbjNEVkNmaWQyU000NGpyaHh3WmkwPSIsInN1YiI6ImNkMWI1NzJkLWVhMTYtNGVkNS04MmI5LWZjZjg0ZmFhZDExYyIsInN1Ym5hbWUiOiJjZDFiNTcyZC1lYTE2LTRlZDUtODJiOS1mY2Y4NGZhYWQxMWMiLCJ0b2tlbk5hbWUiOiJyZWZyZXNoX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsInVzZXJuYW1lIjoiIn0.AJxYikoZvfdjv5a6RBm-AuziahpwbuhwR3l3cbWnpvDbokS821gevoCDSJVE7M-otdNr19SrbSeEyxBIu8KJcZR0AIsfsqPMErCKPzLmtz1PbQAjc6zTCV-cjn4j2dM7s2Hyg-3MOZmT1KTVym-UN-lLgoDhv8gVbuAR5eKykGuvEspz",
  "id_token": "eyJhbGciOiJFUzUxMiIsImtpZCI6ImUxMWQzMWU0LTdjODctNDdhNi1hOGJlLTIxMjIxZGUzZmJiMSIsInR5cCI6IkpXVCJ9.eyJBQUwxIjoiZXlKMGVYQWlPaUpLVjFRaUxDSnJhV1FpT2lKbE1URmtNekZsTkMwM1l6ZzNMVFEzWVRZdFlUaGlaUzB5TVRJeU1XUmxNMlppWWpFaUxDSmhiR2NpT2lKRlV6VXhNaUo5LmV5SnpkV0lpT2lKalpERmlOVGN5WkMxbFlURTJMVFJsWkRVdE9ESmlPUzFtWTJZNE5HWmhZV1F4TVdNaUxDSnBZWFFpT2pFM05UYzBNelV5TWpRc0ltbHpjeUk2SWxObGJuUnllU0lzSWtGQlRDSTZNU3dpWlhod0lqb3hOelUzTkRZME16STBmUS5BT254UnpHZUVfXzNUMHZ5dHlscGM1OXFwMHV3Nk5pT2tXNFNaT1FzMGlKOXFKSDhJaWdNZUh3bUlxTVdibmxBRkdIazZrX0pxU0VzM3Mtd00wMWxYcWdFQVd2SEJ5Y1I5TlpHSHRveEQ0VG5IYlR3bldhYm1DWnpvdmZxUjFLNlBScl9RYV9GN2RtOTc1S3ROQlpROGVKQ3dsRnQtTDhfMW90dnI2ZHdLejZWMURBaiIsImFhbCI6MSwiYWNyIjoiMCIsImF0X2hhc2giOiJqZ1RsTG5XNlFpMGZtRGRyWDE2LWlnIiwiYXVkIjoiSlBNU01BUlRBQ0NPVU5UU0lULUpQTVNNQVJUQUNDT1VOVFNJVCIsImF1ZGl0VHJhY2tpbmdJZCI6IjFiYWY2ZjgzLTkyM2UtNDk3Yy1iZGRlLWQwMjFiODA1NDcwOC00NjQyNDEiLCJhdXRoX3RpbWUiOjE3NTc0MzUyMjUsImF6cCI6IkpQTVNNQVJUQUNDT1VOVFNJVC1KUE1TTUFSVEFDQ09VTlRTSVQiLCJjX2hhc2giOiIyMFJXalh4WlpjWVhTTHVNc3hvUy1BIiwiY2xpZW50X2lkIjoiSlBNU01BUlRBQ0NPVU5UU0lULUpQTVNNQVJUQUNDT1VOVFNJVCIsImVtYWlsIjoiYXNob2trdW1hci5zb2xhaXJhamErRkRYU0ExQGNoYXNlLmNvbSIsImV4cCI6MTc1NzQzNjIwNiwiZXhwaXJlc19pbiI6OTAwLCJmYW1pbHlfbmFtZSI6IlNvbGFpcmFqYSIsImdpdmVuX25hbWUiOiJBc2hvayIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJpYXQiOjE3NTc0MzUzMDYsImlzcyI6Imh0dHBzOi8vbG9naW4udGVzdC5qcG1vcmdhbi5jb20vaDJ3LWFwaSIsIm5hbWUiOiJBc2hvayBTb2xhaXJhamEiLCJyZWFsbSI6Ii9hbHBoYSIsInJvbGVzIjpudWxsLCJzX2hhc2giOiJGX0ZsMWFXNmFWOG53Q09vT3FLelJnIiwic2NvcGUiOiJqcG1jOnVyaTpzaXQ6cGF5bWVudHM6ZmR4OmFjY2VzcyIsInNpZCI6IlFCKzZHV2JHSURwb2N0cmxBcHNqalduM0RWQ2ZpZDJTTTQ0anJoeHdaaTA9Iiwic3ViIjoiY2QxYjU3MmQtZWExNi00ZWQ1LTgyYjktZmNmODRmYWFkMTFjIiwic3VibmFtZSI6ImNkMWI1NzJkLWVhMTYtNGVkNS04MmI5LWZjZjg0ZmFhZDExYyIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJ1c2VybmFtZSI6IiJ9.AR3W2vPjdVaVxRz8oGxycY8n3Yk3B-k7dkQolINID_iLOSHvlQIsvfIfOQ6txwR8nvgHcdkWIuWHcQI12LpQLcI-AKCZ2zYcHDovViisu3gf0KAdlgykC2oep-JAeTyL-39UBk87DUExREJ2CeA6m6EfpkgCB8A4dJea5ZePRLwnLwSL",

  "scope": "jpmc:uri:uat:payments:fdx:access",
  "token_type": "Bearer",
  "expires_in": 3599
}
```

### Client assertion token generation

This flow uses a signed JSON web Token (JWT) to request an OAuth access token by sending a request to the token endpoint. Use these steps to create a client assertion token:

1. Fetch the private key and certificate
  1. Obtain the private key and the corresponding certificate for the application (client).
  2. Refer to the certificate generation section for instructions on creating the certificate.

2. Create the JWT
  1. Construct a JWT with the header example parameters:

Header example

```json
{
  "kid": "<Short identifier for the certificate; generate the SHA-1 thumbprint>",
  "typ": "JWT",
  "alg": "RS256"
}
```

Payload example 

```json
{
  "exp": "<Expiration time in Unix time>",
  "iat": "<Issued at time in Unix time>",
  "aud": "https://login.test.jpmorgan.com/h2w-api/oauth2/token",
  "iss": "<client_id>",
  "sub": "<client_id>",
  "nbf": "<Not before time in Unix time>"
}
```

**        **3. Sign the JWT with the application's private key and the self-signed certificate using the RSA256 algorithm.

Example of an assertion token:

`eyJraWQiOiJDQkVtYmVkZGVkQmFua2luZyIsInBpLmF0bSI6IjdpOW8iLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE3MjEzMzk0NDgsImV4cCI6MTcyMTM0MTI0OCwiYXVkIjoiaHR0cHM6Ly9wZi5zaXQuYXV0aGUuZGV2LmF3cy5qcG1jaGFzZS5uZXQiLCJpc3MiOiJDX0pQTUNfMTE0MzU1X0lOVFVJVDk4LVFVSUNLQk9PS1MxMDZfU0lUXzAwMDczIiwic3ViIjoiQ19KUE1DXzExNDM1NV9JTlRVSVQ5OC1RVUlDS0JPT0tTMTA2X1NJVF8wMDA3MyJ9.X71QFuTGa4_qAmy_jrehWRD98EWoT_RUOYX27m5X4Hy10HtD_1TUl6EysXtJVLF3DdNST6BRnohXI0L5JgLGhdAkR1WKOJBspAIUUttWj6_ref7wnOvQZY0o2KL_4IPL3np-0WlLCkksWJHm66OKAjOECJg1pYxSnH5byaCzgK0NAaEBSIyN_-nS_2Aaux2OQSXtyqcCKFtFYsg4HAz2AwtFxyokWfYLxxWYG9X6o3h9eV3BJBh8066Y65h99aUtaURWQbtwnWLxFQ_iHI5mvwqtWXwuptR8NVL6VsB6ahX90Leu7n-78U7TPThdsYkrnaFw2PsAAnnOefu85C_O7Q`

### Examples of parameters used in JWT generation

**UAT environment example:**

Header

```json
{
  "kid": "250c2fc267635b07169d0afe984b62a0f12382de",
  "alg": "RS256",
  "typ": "JWT"
}
```

Payload

```json
{
  "nbf": 1757698700,
  "exp": 1757699000,
  "iat": 1757698700,
  "aud": "https://login.test.jpmorgan.com/h2w-api/oauth2/token",
  "iss": "client_id",
  "sub": "FINNEZ-MONEYSYNC"
}
```

Signature (encoded)

`JPCq8ZRMywhMxEJf0B7UIr9XVNI7405csLymrG7ax0Qhypo-TzrlOViI-nZ_nvnZcZtR71_UEMCwsl4-UlYNZ20MBUZTA0rB7ypDK5g4DFsSxGQwAIJ00pb3-0LUt8poAdaKFWiPLT-mZmeIeBBpqiNGELRdW1-SxRRq2h_abJWRQ1uiRHz9k5RNXUIAtPaqn2b8Lal8tWvP-fftEjt1vM42yjMK1H2eksBfzxzGQ0qnN289C2Jc6QomxoAbm5kWcL9KsRBZwDIM6uJan56Zryaw1zx6pvy_ClkuWPCmh4OOWTjfL3DLiLbOtXMoW6sa4EBdsaDNblcemwQMeV_zXkw`

**Production environment example:**

Header

```json
{
  "kid": "250c2fc267635b07169d0afe984b62a0f12382de",
  "alg": "RS256",
  "typ": "JWT"
}
```

Payload

```json
{
  "kid": "250c2fc267635b07169d0afe984b62a0f12382de",
  "alg": "RS256",
  "typ": "JWT"
}
```

Signature (encoded)

`JPCq8ZRMywhMxEJf0B7UIr9XVNI7405csLymrG7ax0Qhypo-TzrlOViI-nZ_nvnZcZtR71_UE`

## 6. Token lifecycle management

This section explains how to refresh and revoke tokens.

- Access token: Valid for 15 minutes. Refresh it before it expires.

- Refresh token: Valid for one year. The user must re-consent to renew.

### Refresh the access token

Send a request to the token endpoint.

`<token endpoint URL>?client_id=<CLIENT_ID>&grant_type=<refresh_token>&refresh_token=<refresh token>&client_assertion=<client_assertion_token>&client_assertion_type=<client_assertion_type>&code_verifier=<code_verifier>`

Header: `Content-Type: application/x-www-form-urlencoded`

#### Refresh token parameters

The refresh token parameters table describes the parameters required to refresh the access token using the refresh token:

 
**Table-1**

| Field name | Description | 
| --- | --- | 
| header | Content-Type: application/x-www-form-urlencoded | 
| client_id | Client ID provided by us during onboarding | 
| grant_type | refresh_token | 
| refresh_token | Refresh token example: daKDqweERo4utdbgVmXc2xY8Q7WpPadEFc8e3L8ZSy | 
| client_assertion | Client assertion token | 
| client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer | 
| code_verifier | Randomly generated string example: eyJhbGciOiJFUzUxMiIsImtpZ. | 

### Revoke token

Send a request to the token revocation endpoint: `https://login.test.jpmorgan.com/h2w-api/oauth2/token/revoke`

Header: `Content-Type: application/x-www-form-urlencoded'`

#### Revoke access token parameters

The revoke access token parameters table describes the parameters required to revoke the access token:

 
**Revoke the access token**

| Field name | Description | 
| --- | --- | 
| client_id | Client ID provided during onboarding. | 
| token | Token to revoke. Confirm whether this endpoint supports access tokens, refresh tokens, or both. | 

## Related

- See the [FAQs](/docs/treasury/jp-morgan-business-direct-connect/faqs) page for answers to common questions and issues encountered during integration.

- Refer to the [support](/docs/treasury/jp-morgan-business-direct-connect/support) page for support information and to report production issues.