1
Get your credentials
Tesouro issues a client ID and client secret during onboarding. To request access, have your designated team lead submit an access request.Store the client secret in a secrets manager. It is not recoverable after creation — if lost, you must submit a new access request.
2
Generate an access token
Exchange your credentials for a short-lived The token is valid for
Bearer token using the OAuth 2.0 client_credentials grant against the sandbox token endpoint.Request
Response
expires_in seconds (typically one hour). Cache it on your server and request a new one before it expires — don’t fetch a new token on every API call.3
Make your first authenticated call
Pass the token in the A
Authorization header. A safe first call is GET /embedded-banking/v1/bank-accounts, which returns the bank accounts visible to your application.Request
Response
401 means the token is missing, expired, or malformed. A 403 means the token is valid but lacks the scope the endpoint requires — every endpoint in the API reference lists its required scope.Switch to production by replacing the host with
https://api.tesouro.com and using your
production credentials. See Environments for the
full breakdown.Next steps
- Authentication overview — token lifecycle, revocation, and acting on behalf of a user via token exchange
- Application flow — start a bank account application with
POST /embedded-banking/v1/bank-account-applications(filter the API reference to the Bank Account Applications tag) - Money movement — initiate book, ACH, RTP, and FedNow transfers
- Webhooks — receive asynchronous events for application decisions and transfer state changes
- Pagination, sorting, and filtering — conventions every list endpoint follows