Home
Documentation
Resources
Partners
Community

Documentation

Check out our information about our products and the integration process.

Online paymentsIn-person paymentsE-commerce platformsTest how the solutions work
Referencia APIBibliotecas SDK

Starting now?

Access the page with the first steps to learn how to integrate.

Resources

Check for updates on our solutions and system performance, or request technical support.

ChangelogMercado Pago status

Support

With my accountWith my integration

Partners

Discover our program for agencies or developers that offer integration services and sellers who want to hire them.

About the programFor agenciesFor developersFor platforms
Contrate um parceiro para integrar seu site

Community

Get the latest news, ask others for help and share your knowledge.

NewsNewsletterCommunity on DiscordYouTube channel
Online payments

No programming

Payment link

Payment with link or button.

Subscription plans

Recurring payments without integration.

With programming

Checkout Pro

Ready to configure.

Checkout Bricks

Modules to assemble.

Checkout API

Full checkout control.

Subscriptions

Recurring payments with integration.

Platforms

Shopify

WooCommerce

VTEX

Tiendanube

Prestashop

Commerce Cloud

Wix

Show more

In-person payments
Mercado Pago Point

POS machines.

QR Code

Scannable code.

Tools and resources

Integration management

Your integrations

Integrated payment solutions.

Application details

Guide to manage integrations.

Credentials

Secure access passwords.

Tests

Functionality testing.

Quality

Performance assessment.

Tools

Security

Protocols and regulations.

Reports

Operations reports.

Updates

Changelog

Change history.

Mercado Pago Status

Service operability.

APIs and SDKs
API Reference

Endpoints and parameters.

SDK Libraries

Development technical kit.

Create and refresh token - OAuth - Mercado Pago Developers
Create and 'refresh_token'

POST

https://api.mercadopago.com/oauth/token
This endpoint is used to create or refresh the necessary Access Token to operate your application.
Products that use it:
Checkout Pro
Subscriptions
Mercado Pago Point
QR Code
Request's parameters
BODY
client_secret
string

REQUIRED

Private key to be used in some plugins to generate payments. One of the keys in the pair that make up the credentials that identify an application/integration in your account.
client_id
string

REQUIRED

Unique ID that identifies your application/integration. One of the keys in the pair that make up the credentials that identify an application/integration in your account.
grant_type
string

REQUIRED

Specify the type of operation to be performed to obtain your Access Token. In the case of Mercado Pago, there are three available access flows:
authorization_code: A flow based on redirection, characterized by user intervention to explicitly authorize the application to access their data and by the use of a code provided by the authentication server so that the application can obtain an Access Token and an associated 'refresh_token'.
refresh_token: If an Access Token generated from the 'authorization_code' flow is invalid or expired, this flow will be used to exchange a temporary grant of the 'refresh_token' type for an Access Token. This allows the Access Token to be refreshed without requiring further user interaction after the authorization granted by the 'authorization_code' flow.
client_credentials: Used to obtain an Access Token without user interaction. This flow is used when applications request an Access Token using only their own credentials to access their own resources, without acting on behalf of a user or accessing their data.
code
string
Code provided by the authentication server so that the application can obtain an Access Token and an associated 'refresh_token'. It is valid for 10 minutes counted from its generation. Required when grant_type=authorizat...View more
Response parameters
access_token
string
Security code that identifies the user, their privileges and an application used in different requests from public sources to access protected resources. Its validity is determined by the expires_in parameter and is similar to APP_USR-1585551492-030918-25######3458-2880736, which is composed of:
Access Token type: APP_USR (application on behalf of a user), TEST (test, only valid in sandbox)
Client ID: 1585551492
Creation date (MMddHH): 030918
View more
token_type
string
necessary information for the token to be used correctly to access protected resources. The token of type "bearer" is the only one supported by the authorization server and is used when the Access Token is included as pl...View more
expires_in
number
Fixed access_token expiration time expressed in seconds. By default, the expiration time is 180 days (15552000 seconds).
scope
string
Scopes are used in the API authorization and consent process and allow you to determine what access the application requests and what access the user grants. By default, the scopes associated with the token are the ones ...View more
Errors

400Error

invalid_client

The provided client_id and/or client_secret of your app is invalid.

invalid_grant

There are several reasons for this error, it could be because the authorization_code or refresh_token is invalid, expired or revoked, was sent in an incorrect flow, belongs to another client, or the redirect_uri used in the authorization flow does not match what your application has configured.

invalid_scope

The requested scope is invalid, unknown, or wrongly formed. The allowed values for the scope parameter are “offline_access”, ”write” or ”read”.

invalid_request

The request does not include a required parameter, includes an unsupported parameter or parameter value, has a duplicated value, or is otherwise malformed.

unsupported_grant_type

Allowed values for grant_type are “authorization_code” or “refresh_token”.

forbidden

The call does not authorize access, possibly another user's token is being used.

unauthorized_client

The application does not have a grant with the user or the permissions (scopes) that the application has with this user do not allow creating a token.

429Error

local_rate_limited

The call does not authorize access, please try again.

Request
curl -X POST \
    'https://api.mercadopago.com/oauth/token'\
    -H 'Content-Type: application/json' \
    -d '{
  "client_secret": "client_secret",
  "client_id": "client_id",
  "grant_type": "client_credentials",
  "code": "TG-XXXXXXXX-241983636",
  "code_verifier": "47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU",
  "redirect_uri": "https://www.redirect-url.com?code=CODE&state=RANDOM_ID",
  "refresh_token": "TG-XXXXXXXX-241983636",
  "test_token": "false"
}'
Sample answer
{
  "access_token": "APP_USR-4934588586838432-XXXXXXXX-241983636",
  "token_type": "bearer",
  "expires_in": 15552000,
  "scope": "read write offline_access",
  "user_id": 241983636,
  "refresh_token": "TG-XXXXXXXX-241983636",
  "public_key": "APP_USR-d0a26210-XXXXXXXX-479f0400869e",
  "live_mode": true
}

Navigation

Your integrationsDocumentationAPI referenceSDK library

Resources and Community

ChangelogMercado Pago statusError reportSupportNewsNewsletterPartners Program

Mercado Pago

Your accountTerms of usePrivacy policy

Country and language

Argentina
Argentina
Brasil
México
Uruguay
Colombia
Chile
Perú
English
Español
English
Português
Mercado Pago ofrece servicios de pago y no está autorizado por el Banco Central a operar como entidad financiera. Los fondos acreditados en cuentas de pago no constituyen depósitos en una entidad financiera ni están garantizados conforme legislación aplicable a depósitos en entidades financieras. Copyright © 2025 MercadoLibre S.R.L.

Usamos cookies para mejorar tu experiencia en Mercado Pago. Consultar más en nuestro Centro de Privacidad.

¡Listo! Guardamos tus preferencias.
Algo salió mal. Por favor, vuelve a intentarlo.