> ## Documentation Index
> Fetch the complete documentation index at: https://developer.usetyms.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange authorization code

> Exchange a single-use authorization code for access and refresh tokens. Requires your app **secret key** in `X-API-Key`.

<Note>Send your integration app `tyms_sk_...` in `X-API-Key` (or `api-key` / `sk`). Access tokens expire after **60 minutes**.</Note>


## OpenAPI

````yaml /openapi/adam-v1.json post /oauth/access/token
openapi: 3.0.3
info:
  title: Adam Developer API
  version: 1.0.0
  description: >-
    REST API for useadam.io — Adam, the AI accounting agent for small
    businesses. Paths are appended to the server URL.


    **Business key** (`tyms_sk_...`): all routes except `POST
    /register-business` and OAuth authorization steps that document their own
    auth. **Partner key** (`adam_partner_sk_...` or equivalent): only `POST
    /register-business`. **OAuth**: integration apps use `tyms_pk_...` /
    `tyms_sk_...` plus user Bearer tokens — see the OAuth guide.


    Financial reports match what you see in the Adam app. AI create endpoints
    accept optional attachment objects (`name`, `file`, `type`) — see the
    Attachments page in this docs site.
servers:
  - url: https://api.useadam.io/v1/adam
    description: Production
security:
  - apiKey: []
tags:
  - name: Partners
    description: Referral partner (distributor) flows — partner API key only.
  - name: Authentication
    description: Validate a business Developer API key.
  - name: OAuth
    description: >-
      Third-party integration authorization — connect Tyms users to your app
      without sharing their business secret keys.
  - name: Chart of accounts
    description: COA and bank-linked accounts.
  - name: Invoices
    description: Invoice CRUD and payments.
  - name: Bills
    description: Bill CRUD and payments.
  - name: Expenses
    description: Expense CRUD.
  - name: Income
    description: Income record CRUD.
  - name: Journals
    description: Journal entry CRUD.
  - name: Contacts
    description: Contact CRUD.
  - name: Banks
    description: Bank accounts.
  - name: Bank transactions
    description: Statement lines and AI-assisted upload.
  - name: Reports
    description: Financial statements (aligned with in-app reports).
paths:
  /oauth/access/token:
    post:
      tags:
        - OAuth
      summary: Exchange authorization code
      description: >-
        Exchange a single-use authorization code for access and refresh tokens.
        Requires your app **secret key** in `X-API-Key`.
      operationId: oauthAccessToken
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/OAuthAccessTokenRequest'
            example:
              authorization_code: AD_example
              business_id: business-uuid
      responses:
        '200':
          description: Access and refresh tokens
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthTokenSuccess'
              example:
                status: success
                message: Business access token retrieved successfully
                data:
                  access_token: oauth_access_token
                  refresh_token: oauth_refresh_token
                  expires_at: '2026-06-16T15:30:00+00:00'
                  token_type: Bearer
                  business_id: business-uuid
        '400':
          description: Expired or invalid authorization code
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                status: failed
                message: Authorization code expired
        '401':
          description: Invalid app secret key
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
components:
  schemas:
    OAuthAccessTokenRequest:
      type: object
      required:
        - authorization_code
        - business_id
      properties:
        authorization_code:
          type: string
        business_id:
          type: string
    OAuthTokenSuccess:
      type: object
      properties:
        status:
          type: string
        message:
          type: string
        data:
          type: object
          properties:
            access_token:
              type: string
            refresh_token:
              type: string
            expires_at:
              type: string
              format: date-time
            token_type:
              type: string
              example: Bearer
            business_id:
              type: string
    ErrorResponse:
      type: object
      properties:
        status:
          type: string
          example: failed
        message:
          type: string
  securitySchemes:
    apiKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: >-
        Business secret `tyms_sk_...` for all routes except **Register
        business**, which expects your **partner** secret.
      x-default: your_tyms_sk_or_partner_key

````