> ## Documentation Index > Fetch the complete documentation index at: https://docs.stora.co/llms.txt > Use this file to discover all available pages before exploring further. # Retrieve an Access Token > Retrieve an OAuth 2 Access Token. ## OpenAPI ````yaml /2025-09/openapi.json post /oauth2/token openapi: 3.1.1 info: title: Stora Public API version: 2025-09 x-build-date: '2026-05-20' description: >- The Stora Public API gives you programmatic access to your self-storage business. Use it to build custom integrations, automate operational workflows, and sync data with the tools you already use. termsOfService: https://www.stora.co/terms-of-service contact: name: Stora Support url: https://www.stora.co/contact servers: - url: https://public-api.stora.co description: Production security: [] tags: - name: Contacts description: >- Contact is the end user of an operator’s storage business — an individual or company that inquires, books, signs agreements, and pays for storage. - name: Contract Templates description: >- Contract Template is a reusable contract blueprint. It contains the contract content with fillable fields and variables that Stora can pre‑fill at document generation time for a specific contact and tenancy. - name: Contracts description: >- Contract is a document generated from a contract template for a specific contact. It tracks the signing lifecycle, moving through statuses such as pending, signed, voided, declined, and deleted. - name: Coupons description: >- Coupon is a reusable promotion that reduces the price a contact pays by either a percentage or a fixed amount. It can be applied to eligible charges such as unit rent or product and may be limited by duration, number of uses, or scope. - name: Credit Notes description: >- Credit Note reduces or reverses part or all of a previously issued invoice. It references the original invoice and contact, along with the specified corrected amounts and taxes. - name: Deals description: >- Deal refers to the collection of information pertaining to a potential order including contact, site, unit types, protection. - name: Deals / Stages description: Deal Stage refers to the stages a deal transitions through. - name: Identity Verifications description: Identity Verification tracks the process of verifying a contacts identity. - name: Images description: >- Serves images associated with resources such as sites and unit types. The endpoint redirects to a temporary pre-signed storage URL where the image can be downloaded. - name: Invoices description: >- Invoice is a finalized billing document issued to a contact for their storage subscriptions and related charges. It itemizes line items like unit rent and protection, applies taxes and discounts, and tracks totals, balance due, and status over time. - name: Notes description: >- A note is a text annotation attached to a resource such as a contact, unit, subscription, or task. Notes capture observations, reminders, or context added by staff or integrations. - name: OAuth 2 description: >- The Stora Public API supports two OAuth 2.0 flows. Use **Client Credentials** if you are an operator building your own integration. Use **Authorization Code** if you are a partner integrating on behalf of an operator. - name: Orders description: >- Order captures a contact’s intent to rent storage, including the selected site and unit type, move‑in date, pricing, and optional add‑ons like protection, products, and services. It tracks status over its lifecycle, and may lead to a subscription that bills on a recurring basis. - name: Orders / Line Items description: >- Order Line Items are the individual charges that make up an order. Each line item represents a product or service such as unit rent, protection, or a one‑off fee, and includes its quantity, unit price, and currency. - name: Product Categories description: >- Product Category groups related products and services into a logical classification used for pricing and display. - name: Products description: >- Product represents a sellable item or service offered by the operator. It defines attributes such as name, description, pricing model, currency, and category, which determine how it’s presented and billed. - name: Protection Levels description: >- Protection Level is an optional add‑on that protects a contact’s stored goods up to a chosen coverage amount. It’s priced and billed alongside storage, appears as its own product or line item, and follows the same tax and discount rules as other charges. - name: Sites description: >- Site is a single physical self‑storage location operated by the operator. It’s the container for everything specific to that location: units and unit types, pricing and taxes, access control, and reporting. - name: Staff description: >- Staff refers to a member of an organization who works on behalf of the operator. - name: Subscriptions description: >- Subscription is an ongoing billing agreement that charges a contact on a recurring schedule for storage and related services. It defines the billing period and active prices, accrues charges into invoices, and reflects proration, discounts, and taxes. - name: Tasks description: Tasks represent individual pieces of work or actions. - name: Tenancies description: >- Tenancy represents an ongoing storage agreement between a contact and an operator, tied to a site and one or more allocated units. - name: Timeline / Events description: >- An event represents a custom timeline entry created by an external integration, such as a CRM or messaging app. - name: Timeline / Sources description: >- A source represents the origin of a custom timeline event, such as an external CRM, or a custom integration. - name: Timeline / Templates description: >- A template defines the message format for a custom timeline event, including the Liquid template and available variables. - name: Unit Allocations description: >- Unit Allocation represents the assignment of a specific unit to a tenancy, tracking reservation and access details. - name: Unit Types description: >- Unit Type represents a standardized storage offering at a site, such as “50 sq ft indoor” or “20 ft container.” It defines core attributes used for pricing and availability, including size, features or access type, and display name. - name: Units description: >- Unit is a specific, bookable storage space at a site, for example “Unit A‑012” of a given unit type. It carries concrete attributes like identifier and status. - name: Webhook Endpoints description: >- Webhook endpoints are used to receive notifications when specific events occur in Stora. We will send a `POST` request to the endpoint with the event payload. - name: Webhooks description: >- Webhooks are HTTP callbacks that send real-time `POST` requests to your configured endpoints when specific events occur in Stora. When an event happens (such as an invoice being paid or a credit note being created), Stora will immediately send a webhook notification to all endpoints subscribed to that event type. externalDocs: description: Stora Public API documentation website url: https://docs.stora.co/2025-09/ paths: /oauth2/token: post: tags: - OAuth 2 summary: Retrieve an Access Token description: | Retrieve an OAuth 2 Access Token. operationId: oauth2_token parameters: [] requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2TokenRequest' examples: client_credentials: summary: Access Token from Client Credentials grant value: grant_type: client_credentials client_id: ei5bQqk_qUqan8MYMarc2-Eqb48vdB-oc_qBBUjG7co client_secret: NlUuAoPDsKBhcCHc-I2Sa4nlPUaYm31nus6_OpiOzmQ scope: public.contact:write access_code: summary: Access Token from Authorization Code grant value: client_id: ei5bQqk_qUqan8MYMarc2-Eqb48vdB-oc_qBBUjG7co client_secret: NlUuAoPDsKBhcCHc-I2Sa4nlPUaYm31nus6_OpiOzmQ code: HwRIs8Xkte55uSjJBdwnpt_QtwdNMutjB-xMMcDVhfQ grant_type: authorization_code redirect_uri: https://app.stora.test refresh_token: summary: Access Token from Refresh Token value: client_id: ei5bQqk_qUqan8MYMarc2-Eqb48vdB-oc_qBBUjG7co client_secret: NlUuAoPDsKBhcCHc-I2Sa4nlPUaYm31nus6_OpiOzmQ refresh_token: xVpo3OwOebV9baOrztNAojGsNlkv4tvuTKoPWEDNDyA grant_type: refresh_token scope: public.contact:read public.contact:write responses: '200': description: Access Token content: application/json: examples: client_credentials: value: access_token: _XVP5ehrV2pbjYmyx7B3vG0A3L2ZDHj5w1VVaJ9jfAM token_type: Bearer expires_in: 7200 scope: public.contact:write created_at: 1740235260 summary: Access Token from Client Credentials grant authorization_code: value: access_token: K98aRY1o1pFsbUAb9w7-zBvaScT576_2Y1dO-YahXhE token_type: Bearer expires_in: 7200 refresh_token: BKneqgGehw7xSE9Fzm2aMP2AWg0cEHubsNOPFqNgAx4 scope: public.contact:read public.contact:write created_at: 1740235260 summary: Access Token from Authorization Code grant refresh_token: value: access_token: PBCvI2W7x0Y6vFTzaFDi2vIdlXhuNehCv9OMm9sacP4 token_type: Bearer expires_in: 1740242460 refresh_token: bs51F__fUJgkQg2CjU8MyOHiQGhMupneZBkVfyefJYU scope: public.contact:read public.contact:write created_at: 1740235260 summary: Access Token from Refresh Token schema: $ref: '#/components/schemas/OAuth2TokenResponse' '401': description: Invalid Request content: application/json: examples: default: value: error: invalid_client error_description: >- Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method. summary: Invalid Request schema: $ref: '#/components/schemas/OAuth2Error' components: schemas: OAuth2TokenRequest: oneOf: - $ref: '#/components/schemas/OAuth2ClientCredentialsRequest' - $ref: '#/components/schemas/OAuth2RefreshTokenRequest' - $ref: '#/components/schemas/OAuth2AuthorizationCodeRequest' discriminator: propertyName: grant_type mapping: client_credentials: $ref: '#/components/schemas/OAuth2ClientCredentialsRequest' refresh_token: $ref: '#/components/schemas/OAuth2RefreshTokenRequest' authorization_code: $ref: '#/components/schemas/OAuth2AuthorizationCodeRequest' OAuth2TokenResponse: type: object description: OAuth 2 Token Response additionalProperties: false properties: access_token: type: string description: OAuth 2 Access Token. token_type: type: string description: OAuth 2 Token Type. const: Bearer expires_in: type: integer description: OAuth 2 Access Token Expiration Time in Seconds. scope: 8f88be37-f13c-4cf9-b2d8-b42a6ea0ee8c created_at: type: integer description: OAuth 2 Access Token Creation Time. refresh_token: type: - string - 'null' description: >- OAuth 2 Refresh Token. Available only for Authorization Code Grant Type. OAuth2Error: type: object description: OAuth 2 Error additionalProperties: false required: - error - error_description properties: error: type: string error_description: type: string OAuth2ClientCredentialsRequest: type: object description: OAuth 2 Client Credentials Request additionalProperties: false required: - grant_type - client_id - client_secret - scope properties: grant_type: type: string description: OAuth 2 Grant Type. const: client_credentials client_id: type: string description: OAuth 2 Client ID. client_secret: type: string description: OAuth 2 Client Secret. scope: type: string description: OAuth 2 Scopes separated by space. OAuth2RefreshTokenRequest: type: object description: OAuth 2 Refresh Token Request additionalProperties: false required: - grant_type - client_id - client_secret - refresh_token properties: grant_type: type: string description: OAuth 2 Grant Type. const: refresh_token client_id: type: string description: OAuth 2 Client ID. client_secret: type: string description: OAuth 2 Client Secret. scope: 747ad787-1f33-41c7-b5ae-5e8420fba723 refresh_token: type: string description: OAuth 2 Refresh Token. OAuth2AuthorizationCodeRequest: type: object description: OAuth 2 Authorization Code Request additionalProperties: false required: - grant_type - client_id - client_secret - code - redirect_uri properties: grant_type: type: string description: OAuth 2 Grant Type. const: authorization_code client_id: type: string description: OAuth 2 Client ID. client_secret: type: string description: OAuth 2 Client Secret. redirect_uri: type: string format: uri description: OAuth 2 Redirect URI. code: type: string description: >- OAuth 2 Authorization Code provided by authenticated user in the callback to `redirect_uri`. code_verifier: type: string description: >- OAuth 2 Code Verifier for [PKCE flow](https://tools.ietf.org/html/rfc7636). ````