What is the primary authentication method for the Wise API?

The primary authentication method for the Wise API is OAuth 2.0, specifically the Authorization Code Grant flow, which is used for applications acting on behalf of a user.

Can I use API keys instead of OAuth 2.0 for Wise API authentication?

Yes, for server-to-server integrations that do not require user interaction, you can use API tokens as an alternative authentication method to OAuth 2.0.

How do I get my Client ID and Client Secret for OAuth 2.0?

You can obtain your Client ID and Client Secret by registering your application through the Wise Business API portal, as detailed in their developer documentation.

How do I handle expired access tokens with Wise API?

Wise API access tokens have a limited lifespan. You should use the refresh token obtained during the OAuth 2.0 flow to request a new access token without requiring the user to re-authenticate.

Are Wise API tokens secure enough for production environments?

Wise API tokens can be secure for production environments if stored securely (e.g., in environment variables or secret managers), granted minimal necessary permissions, and regularly rotated. Treat them like passwords.

What are the recommended security practices for Wise API integrations?

Recommended practices include secure credential storage, applying the principle of least privilege, regular token rotation, enforcing HTTPS, validating input, and conducting security audits.

Does Wise API support different OAuth 2.0 flows?

Wise API primarily supports the Authorization Code Grant flow for OAuth 2.0, which is suitable for confidential clients and applications that can securely manage client secrets.

Wise API Authentication: OAuth 2.0 and API Tokens (2026)

Wise (formerly TransferWise) API authentication primarily relies on the OAuth 2.0 authorization framework for secure user delegation and API tokens for direct server-to-server integrations. This approach ensures controlled access to financial services while maintaining data integrity and user privacy, aligning with modern API security standards.

Authentication overview

The Wise API, formerly TransferWise, provides programmatic access to its international payment and multi-currency account services. To interact with the API, applications must authenticate to verify their identity and obtain authorization to perform specific actions. Wise primarily utilizes the OAuth 2.0 authorization framework, which enables applications to obtain limited access to user accounts without exposing user credentials directly. For server-to-server integrations that do not involve a user interface or direct user interaction, API tokens can be used as an alternative authentication method.

Understanding the distinction between these methods is crucial for implementing secure and functional integrations. OAuth 2.0 is generally recommended for applications that act on behalf of a Wise user, such as a financial management app or an embedded finance solution. API tokens are more suitable for backend services that require direct, programmatic access to Wise functionalities, like automated payout systems or reporting tools.

Supported authentication methods

Wise API supports two primary authentication methods:

OAuth 2.0

OAuth 2.0 is an industry-standard protocol for authorization. It allows a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Wise's implementation of OAuth 2.0 follows the Authorization Code Grant flow, which is recommended for confidential clients (applications capable of maintaining the confidentiality of their credentials).

Authorization Code Grant Flow: This flow involves redirecting the user to Wise's authentication page, where they grant permission to your application. Wise then redirects the user back to your application with an authorization code, which your application exchanges for an access token and a refresh token.
Access Tokens: These are short-lived credentials that grant access to specific API resources. They must be included in the Authorization header of every API request.
Refresh Tokens: These are long-lived credentials used to obtain new access tokens once the current one expires, without requiring the user to re-authenticate.

API Tokens

API tokens provide a simpler authentication mechanism for server-to-server integrations where user interaction is not required. An API token is a unique string that acts as both a credential and an identifier for your application. These tokens should be treated with the same level of security as a password due to their direct access capabilities.

Direct Access: API tokens grant direct access to the Wise API endpoints associated with the token's permissions.
Usage: API tokens are typically included in the Authorization header of API requests as a Bearer token, similar to access tokens obtained via OAuth 2.0.

Comparison of Authentication Methods

The following table outlines the key characteristics of each method:

Method	When to Use	Security Level
OAuth 2.0	Applications acting on behalf of a Wise user (e.g., embedded finance, dashboard integrations)	High (delegated access, short-lived tokens, user consent)
API Tokens	Server-to-server integrations without user interaction (e.g., automated payouts, backend reporting)	Medium-High (direct access, requires careful management and rotation)

Getting your credentials

To begin authenticating with the Wise API, you must first register your application and obtain the necessary credentials. The process typically involves accessing the Wise Business API portal.

For OAuth 2.0

Register your application: Navigate to the Wise API documentation and follow the instructions for registering a new application. During registration, you will typically provide details such as your application name, description, and redirect URIs.
Obtain Client ID and Client Secret: Upon successful registration, Wise will issue you a Client ID and Client Secret. The Client ID is a public identifier for your application, while the Client Secret is a confidential key that must be kept secure.
Configure Redirect URIs: Ensure that the redirect URIs configured in your application registration exactly match the URIs where Wise will send the authorization code after user consent. These URIs are critical for the security of the OAuth 2.0 flow.

For API Tokens

Access API Token Generation: Within the Wise Business API portal, locate the section for generating API tokens. This is usually under developer settings or API keys.
Generate Token: Follow the prompts to generate a new API token. You may be asked to specify the permissions (scopes) associated with the token. Grant only the minimum necessary permissions to adhere to the principle of least privilege.
Store Securely: Once generated, the API token will be displayed. Copy it immediately and store it securely. Wise typically does not store API tokens in a retrievable format, meaning if you lose it, you will need to generate a new one.

Authenticated request example

After obtaining your credentials, you can make authenticated requests to the Wise API. The following example demonstrates how to make a request using an access token (obtained via OAuth 2.0 or an API token) to retrieve your Wise profile details. This Python example uses the requests library.


import requests

# Replace with your actual access token or API token
ACCESS_TOKEN = "YOUR_WISE_ACCESS_TOKEN"

# Wise API endpoint for profile details
API_URL = "https://api.wise.com/v1/profiles"

headers = {
    "Authorization": f"Bearer {ACCESS_TOKEN}",
    "Content-Type": "application/json"
}

try:
    response = requests.get(API_URL, headers=headers)
    response.raise_for_status()  # Raise an exception for HTTP errors

    profile_data = response.json()
    print("Successfully retrieved profile data:")
    for profile in profile_data:
        print(f"  Profile ID: {profile['id']}, Type: {profile['type']}")

except requests.exceptions.HTTPError as err:
    print(f"HTTP error occurred: {err}")
    print(f"Response content: {response.text}")
except requests.exceptions.RequestException as err:
    print(f"An error occurred: {err}")

In this example, the Authorization: Bearer YOUR_WISE_ACCESS_TOKEN header is crucial. The requests.raise_for_status() call is included to handle potential HTTP errors (e.g., 401 Unauthorized if the token is invalid or expired, or 403 Forbidden if the token lacks the necessary permissions).

Security best practices

Adhering to security best practices is essential when integrating with financial APIs like Wise to protect sensitive data and maintain the integrity of transactions. Wise itself maintains compliance with standards like PCI DSS and GDPR, and developers should mirror this commitment in their integrations.

Secure Credential Storage: Never hardcode API keys or sensitive credentials directly into your application's source code. Use environment variables, secure configuration files, or dedicated secret management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) for storing Client Secrets, API tokens, and refresh tokens.
Least Privilege Principle: Grant only the minimum necessary permissions (scopes) to your API tokens or OAuth 2.0 applications. Avoid requesting or generating tokens with broad access if only specific functionalities are needed. This limits the potential damage if a credential is compromised.
Token Rotation and Expiration: Implement mechanisms for regularly rotating API tokens and managing refresh tokens. OAuth 2.0 access tokens have a limited lifetime, requiring applications to use refresh tokens to obtain new ones. For API tokens, establish a regular rotation schedule.
HTTPS/TLS Enforcement: Always ensure all communication with the Wise API occurs over HTTPS (TLS). This encrypts data in transit, protecting credentials and transaction details from interception. Wise API endpoints enforce HTTPS by default.
Input Validation and Output Encoding: Validate all input received by your application before processing it and encode all output displayed to users. This helps prevent common web vulnerabilities such as SQL injection and cross-site scripting (XSS) that could lead to credential exposure or unauthorized actions.
Error Handling and Logging: Implement robust error handling to catch and log authentication and authorization failures. However, avoid logging sensitive information (like full tokens or passwords) in plain text. Use unique request IDs for easier debugging without compromising security.
Protect Redirect URIs (OAuth 2.0): For OAuth 2.0, ensure your redirect URIs are secured and only accessible by your application. Misconfigured redirect URIs can lead to authorization code interception attacks. Always use https:// for redirect URIs in production environments.
Regular Security Audits: Periodically review your application's security posture, including how it handles authentication and authorization. Conduct security audits and penetration testing to identify and remediate potential vulnerabilities.
Stay Updated: Keep your SDKs, libraries, and frameworks updated to benefit from the latest security patches and improvements. Regularly check the Wise developer documentation for any updates to their security recommendations or API changes.

Wise API Authentication: OAuth 2.0 and API Tokens (2026)

Authentication overview

Supported authentication methods

OAuth 2.0

API Tokens

Comparison of Authentication Methods

Getting your credentials

For OAuth 2.0

For API Tokens

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by