# Code and tokens
source: https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/api-basics/code-and-tokens/index.md

When a Payment Service User (PSU) authorises a [Connect Login flow](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/login-flows/index.md) or a [Payment](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/payments/index.md), it may be necessary to obtain an `accessToken` and a `loginToken` to maintain connectivity to that user session.

#### Retrieve the authentication code and check the session state {#retrieve-the-authentication-code-and-check-the-session-state}

After completing the login flow, the Payment Service User (PSU) will be redirected to the URL which was specified in `redirectUrl` when you initialized a login (by calling `/v1/authentication/initialize` or `/v1/payments/create`). The service appends a query string to the provided `redirectUrl` with information about the result of the completed login flow.

Redirect URL Example:

    https://aiia.eu/demo/redirect?code=qgAAAAVDaXBoZXJ0ZXh0AHAAAAAAhc3pqKXxpxfZnLBlBK8FZApw9cEVp7Fp9d0tcRGsx7Q9/t0gmKcPuh0jsny/VjT4Y7WTXZLPvmFjuCYUyKWgFeZs3iFVygNXZrtwHIocNFbRYSVHcIalV3Oleyc9JV4XcD4o/p++gDBWKRsSzipqQwVJdgAQAAAAABSXV44SuwfpjExvUiTg6IsQS2V5SWQAAAAAAAA=

You can also retrieve the code by using a dedicated method to collect the authentication code and check the status of PSU authentication.

The `/v1/authentication/{sessionId}/status` API is used to get the authentication code for token exchange from the redirect URL specified in the Initialize request.

This is in particular useful within native applications, as communicating the authentication code from an embedded webview to the host application is prone to errors.

```shell
  curl -X GET \
    https://api.nordicapigateway.com/v1/authentication/{sessionId}/status \
    -H 'Content-Type: application/json' \
    -H 'X-Client-Id: <CLIENT_ID>' \
    -H 'X-Client-Secret: <CLIENT_SECRET>'
```

The API takes both the `sessionId` returned when starting a supervised login or payment and an optional `pollTimeout` as a query parameter, indicating the seconds to wait for authentication to complete. By default, the endpoint returns immediately. When set, the API continuously polls for updated status until either authentication completes or times out.

The API then returns the `state` of the session which can be one of: `InProgress` `Succeeded` `Failed` `NotApplicable` or `Cancelled`. For a successful authentication it also returns the `code` associated with the session. For some payments a `accessToken` for checking the status of the payment is not necessary, in this case a status of `NotApplicable` is returned. The payment didn't require a session and you will be able to [monitor the payment](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/payments/monitoring-payments/index.md) without needing an `accessToken`.

Note: Implement appropriate error handling and timeout logic in your polling mechanism to avoid indefinite polling.

Here is an example response:

```json
{
"state": "Succeeded",
"code": "qgAAAAVDaXBoZXJ0ZXh0AHAAAAAAhc3pqKXxpxfZnLBlBK8FZApw9cEVp7Fp9d0tcRGsx7Q9/t0gmKcPuh0jsny/VjT4Y7WTXZLPvmFjuCYUyKWgFeZs3iFVygNXZrtwHIocNFbRYSVHcIalV3Oleyc9JV4XcD4o/p++gDBWKRsSzipqQwVJdgAQAAAAABSXV44SuwfpjExvUiTg6IsQS2V5SWQAAAAAAAA="
}
```

This code is to be used as the parameter in `/v1/authentication/tokens`:

    qgAAAAVDaXBoZXJ0ZXh0AHAAAAAAhc3pqKXxpxfZnLBlBK8FZApw9cEVp7Fp9d0tcRGsx7Q9/t0gmKcPuh0jsny/VjT4Y7WTXZLPvmFjuCYUyKWgFeZs3iFVygNXZrtwHIocNFbRYSVHcIalV3Oleyc9JV4XcD4o/p++gDBWKRsSzipqQwVJdgAQAAAAABSXV44SuwfpjExvUiTg6IsQS2V5SWQAAAAAAAA=

By implementing both the redirect and polling methods to retrieve the `code`, you ensure that your integration can handle various network conditions and client environments, maximizing the success rate of the authentication flow.

#### Exchange code for tokens {#exchange-code-for-tokens}

The `code` from the *supervised login* flow is exchanged for tokens from `/authentication/tokens`.

```shell
curl -X POST \
  https://api.nordicapigateway.com/v1/authentication/tokens \
  -H 'Content-Type: application/json' \
  -H 'X-Client-Id: <CLIENT_ID>' \
  -H 'X-Client-Secret: <CLIENT_SECRET>' \
  -d '{
	      "code": "<CODE>"
      }'
```

Note: The `code` expires in one minute.

This is an example response when calling `/v1/authentication/tokens` or `/v1/authentication/unattended` with a valid code:

```json
{
    "success": true,
    "session": {
        "expires": "2019-01-23T13:30:07.1389724+00:00",
        "accessToken": "mgAAAAVDaXBoZXJ0ZXh0AGAAAAAA69Csw1VJ3snS4yDpfbxkSi24XPA88dmRGTtuzAcPVHrUHz0EnV97mDfCtL9vJauLg8GUs5hLaQO3unwDzm2YZx7Q6yNfXlh8/6hx2EIGE21O3abi11+nRgu19x+5HXwABUl2ABAAAAAAdR+4hq3HXxUdwszLM8VP2RBLZXlJZAAAAAAAAA=="
    },
    "login": {
        "providerId": "DemoBank",
        "expires": "2019-07-25T13:20:07.141971Z",
        "loginToken": "-ELT2-CgQAAAVDaXBoZXJ0ZXh0ANADAAAATNw5KNeoZU+ApQjbJkKb++e3sc+6QBLIJp9RDwHILusjnZfSYEgzvaMMuXY4uikdfPelN4ZPJ6AqHakI3aBx3hYZti2D6HsuV35UTi4TiZOfAJB6ol7S52P7rPAIowV9/bk3+mHtDXFAtjanbAQuKtKBbj8ETED1SP9SjPAtW/Bcv0VzRljb8jMgzp2/4W7BLBascLrElJY038PQX4kJBdK5pL+3wnp5mHaLDoeXodMnIgYy3GRU5UjrpjSRXIdbkhGunoH+3OuPXhQU/TKZW9AECQJxcp36YUIcg0BfcJdOpcJ7hSJPUwYnTXk4xmnpXkE+Z9fL1QZ77Kc44AULMG3sLZE+DrJw7Zf5nVa3mLGOBxCUWK/EtVErTqub/uXqj9Le1oQa8K1AUvmkHCcHtcCklVjTqend15oC2tP1MO1JlBHfqSjcuX9yb5BA1LhOWCfJAZbj0cAbbMA1rRoONA+EzWSP1zvenyB9UvDGAuPweWa1mDJAfDRExvI4ZE2KAAHVSM6Rk9wrbYpGuz878BM03SDc6g4/hYKPt/Y4UUaQtzDc9wwgX9oaApx+HG7pUfjNIQei80FrTXPN5aDnR1623xtCjlV4az35jdPk998yH8UHfzgeSoOzDs8z18UoumVS9IjclAWVisao8rptuhrDMEH44H1fqH6rBNYGNItFpTXrAkhnxyDsSupIZj6SAFxcWbFIqzd1E4GePGBspQGeQKYgi/tMHbvZ9CSc9rOmn5w0sG5YXa9LkBx573eKnQzcPLIJzgnGFxSKi6oqvm7A3nDbAEimjSutpfFB1snhFnDdmOIyTkYOVjju7MMvUT4NLY1MCPZEtsbsrq+uDNpxeBMFFADx+WdYJcNL9xIvcF18us842wgDwwQOWIsd5wgJgfKYPihu4fEAaHO9rYL34vRIT8TfouIZOO735+B1vkcXJ3QiEmwQ0f5dAHAxMP3OkdaCGtm2zdWEbRzfEquc5Nz1Te6seLzMc7avDa3/j7kN9h/+gIXYC5N3kpYPNsJiKvKmHRZZh6Un2x/c+A7b/VbPI88QfyNShm+8//+GTBLjHveNvd9QVJgEM01Kbxa/LP+P9BOLZBehJ4g6QUW4ylzh5jGGOHMuTf+wJGCr6W8xWSZXEqw2eOO2iC11fBfvVJAxd3FYRVEtZN+iX4ZpSfiJpwtDqy0BeU18n7nAXmk95GWwPnKgzH1abGH42ylFu3mGnEGy+SX7hSK/WlcbshTnrXiWa+Amt+cO49UGwkQRfbyxjYHjZnE21K66qjZpdIvqppB91bsIvr6X6QVJdgAQAAAAAIy7KH/qCocWCr989JWWgMAQS2V5SWQAAAAAAAA=",
        "supportsUnattended": true,
        "label": "DemoBank 1/23/2019 1:12:33 PM",
        "subjectId": "dc757223d2afb208283aee8bdc58976233fdc6cd259874a231875d8e9c7ae03a"
    },
    "providerId": "DemoBank"
}
```

Note: The `loginToken` is always created, even if the provider does not support unattended logins. Be sure to check `supportsUnattended` to see if the token supports unattended logins.

For more information on the Access Token and Login Token please refer to [Login flows](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/login-flows/index.md). For information on using the `loginToken` to perform an unattended login, please refer Unattended Login (/documentation/licensed/aiia-enterprise/connect/unattended/).