authorize your integration

The authorization of access to a customer’s account is made using the OAuth2 Authorization Code Flow. In essence, this means that a user grants your application access to their account. The user must approve the access and scope of access to their account during the activation process.

Below is an overview of the Authorization Code Flow. The flow starts at your application’s landing page. Authentication of the user is handled through the standard Fortnox login process as part of the flow.

  1. The App Backend attempts to access a resource that requires authorization that it does not have. It redirects the user to the authorization server for authentication.

  2. The Authorization Server authenticates the user by asking for their login credentials. The server determines if the user should be granted or denied their request.

  3. If the User is determined to be authentic, an Authorization-Code is issued and returned to the App Frontend. This code is used to retrieve an Access-Token from the Authorization Server.

  4. The retrieved Authorization-Code is sent to the App Backend.

  5. The App Backend makes a POST request to the Authorization Server, containing its Client-ID, Client-Secret, and Authorization-Code.

  6. The Authorization Server verifies the key, secret and code, and issues an Access-Token and Refresh-Token.

  7. The App Backend receives and processes the Access-Token. The Access-Token is then kept in the App Backend, which can request resources on behalf of the App Frontend without exposing the token itself.

Client-IdThe integrators key to exchange an Authorization-Code for an Access-Token (unique for the application and connected to the Client-Id)
Client-SecretThe integrators key for making requests (unique for the integration and connected to the Client-Id).
Authorization-Code Generated when the customer authenticates and approves the connection between their account and your application. Expiration time: 10 minutes.
Access-TokenToken with limited lifetime used by your application when making API requests on behalf of a user. Expiration time: 1 hour
Refresh-TokenLong-lived token used to generate a new Access-Token once the old one has expired. Expiration time: 45 days

The Client-Id, Client-Secret and Authorization-Code are only used during initial authorization of the connection between a customer’s account and your application.

The Access-Token is used when making regular API calls from your application.

The Refresh-Token is used when an Access-Token has expired. The Refresh-Token should be kept secret.

Steps for authentication, activation and performing requests.
  1. When a user performs the authentication we generate an Authcode (valid for 10 min) which is sent to the integrator through the redirect URL.

  2. The integrator receives the Authcode and activates it. In response to the activation, we generate an Access Token (valid for 1 hour) and a Refresh Token (valid for 45 days).

  3. The integrator uses the Access Token to make calls to our API. These calls do not affect an expire date, neither for Access-Token nor Refresh-Token.

  4. When the Access Token expires after one hour, the integrator uses its Refresh Token to obtain a new Access Token. When this is generated, a new Refresh Token is also created. The old Refresh Token then becomes invalid.

  5. The Refresh Token is valid for 45 days and within this time a new Access Token can be generated. If the Refresh Token has expired, the user needs to re-authenticate and we start again at authentication.


See our comprehensive documentation regarding the Fortnox API.

Subscribe to our blog

By contacting Fortnox, your personal information will be processed in accordance with Fortnox's Privacy Notice

Join us

Approximately half a million customers are waiting for your integration at our Integrations page.