An Access Token is valid for 3600 seconds. New Access Token could be obtained as long as Refresh Token is valid.
Refer also to:
API reference - Access Authorization
FAQ
Q:
What does the duration value in Redirect Access Authorization refer to? Is it related to access token or consent?
A:
The duration value in Redirect Access Authorization refers to the consent duration. It can be set for up to 180 days. For security reasons, access_token validity is always limited to 3600 seconds. After the access_token expires, it can be refreshed without any action from the PSU (Payment Service User) as long as the consent remains valid.
Q:
(Sandbox) While trying to obtain an access token, we encountered the following error ("code":"error.token.expired", "description":"Oauth code expired"):
Request
URI : https://api.nordeaopenbanking.com//personal/v5/authorizeMethod : POSTHeaders: Accept: application/json Content-Type: application/json Content-Length: 396 X-IBM-Client-ID: f974f48d-***-1b58608b3e69 X-IBM-Client-Secret: K7oL7sG0w***0tY6fS8nN5 X-Nordea-Originating-Host: api.nordeaopenbanking.com X-Nordea-Originating-Date: Tue, 26 Aug 2025 13:27:07 GMT Signature: SKIP_SIGNATURE_VALIDATION_FOR_SANDBOX authorization: Bearer eyJ0eXAiOiJKV1QiLCJhb***kKbO1kEQ4PjXnWHHtg gatewayhostname: api.nordeaopenbanking.com gatewayuri: /personal/v5/authorizeBody: { "authentication_method" : "BANKID_SE", "duration" : 3600, "country" : "FI", "skip_account_selection" : "true", "max_tx_history" : "10", "scope" : [ "ACCOUNTS_BASIC", "ACCOUNTS_BALANCES", "ACCOUNTS_TRANSACTIONS", "PAYMENTS_MULTIPLE" ], "account_list" : [ "ALL" ], "language" : "en", "redirect_uri" : "https://test.test.it/sca-test/fe/manageReturn", "state" : "a214a06e-***-c53d2dd5ea9a"}
Response
Status code : 302 FOUNDStatus text : Headers: Vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers Location: https://test.test.it/sca-test/fe/manageReturn?code=ZXlKbGJtTWlPaUpCT***NjcUtxOVNobHBtaTdn&state=a214a06e-***-c53d2dd5ea9a Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0 Referrer-Policy: no-referrer X-Global-Transaction-ID: dd51***87bf1 X-RateLimit-Limit: name=default-rate,10000; X-RateLimit-Remaining: name=default-rate,9999; Date: Tue, 26 Aug 2025 13:27:08 GMT Keep-Alive: timeout=60 Connection: keep-alive
Request
URI : https://api.nordeaopenbanking.com/personal/v5/authorize/tokenMethod : POSTHeaders: Accept: application/json Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Content-Length: 1272 X-IBM-Client-ID: f974f48d-***-1b58608b3e69 X-IBM-Client-Secret: K7oL7sG0w***0tY6fS8nN5 X-Nordea-Originating-Host: api.nordeaopenbanking.com X-Nordea-Originating-Date: Tue, 26 Aug 2025 13:28:58 GMT Signature: SKIP_SIGNATURE_VALIDATION_FOR_SANDBOX authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbG***7jbiocEtIGcJK04Wy07A gatewayhostname: api.nordeaopenbanking.com gatewayuri: /personal/v5/authorize/tokenBody: code=ZXlKbGJtTWlPaUpCT***NjcUtxOVNobHBtaTdn&grant_type=authorization_code&redirect_uri=https%3A%2F%2Ftest.test.it%2Fsca-test%2Ffe%2FmanageReturn
Response
Status code : 400 BAD_REQUESTStatus text : Headers: Vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0 Referrer-Policy: no-referrer X-Global-Transaction-ID: dd51bf***be6a80 X-RateLimit-Limit: name=default-rate,10000; X-RateLimit-Remaining: name=default-rate,9998; Content-Type: application/json Date: Tue, 26 Aug 2025 13:28:58 GMT Connection: closeBody: { "group_header" : { "message_identification" : "611e7925***284a36a", "creation_date_time" : "2025-08-26T13:28:59.258993499Z", "http_code" : 400 }, "error" : { "request" : { "url" : "/v5/authorize/token" }, "failures" : [ { "code" : "error.token.expired", "description" : "Oauth code expired"
What could be the reason?
A:
You requested the endpoint:
at 13:27:07 GMT and received the authorization code at 13:27:08 GMT which expired in 60 seconds. Then you requested the endpoint:
POST personal/v5/authorize/token
at 13:28:58 GMT providing expired authorization code and received expected API response.
Note: The authorization code required to retrieve the access token expires in 60 seconds for security reasons.