The Factus API is protected by OAuth 2.0. TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/tutosrive/factus_challenge/llms.txt
Use this file to discover all available pages before exploring further.
src/auth/token.js module handles the complete token lifecycle — initial acquisition, storage, and periodic rotation — so that the rest of the application only ever needs to read process.env.access_token. When main.js boots, it calls token() immediately and sets up an automatic refresh interval, ensuring a valid token is always available before the first HTTP request is made.
Grant Flows
The module decides which grant type to use by checking whetherprocess.env.refresh_token is already populated at call time.
Password Grant
Used on first run (or after a server restart) when no
refresh_token is present in the environment.Sends the following fields to POST /oauth/token:client_idclient_secretgrant_type=passwordusername(the value ofprocess.env.email)password
Refresh Token Grant
Used on all subsequent calls once a
refresh_token has been stored in process.env.Sends the following fields to POST /oauth/token:client_idclient_secretgrant_type=refresh_tokenrefresh_token
Token Endpoint
All token requests are sent asPOST to:
application/x-www-form-urlencoded using qs.stringify — not JSON — as required by the OAuth 2.0 specification for the token endpoint.
Automatic Token Refresh
After the initial token acquisition,token.js schedules a setInterval that re-runs the query() function every 55 minutes (3,300,000 ms). Because the refresh_token is available in process.env by then, every scheduled call uses the refresh token grant — no credentials are re-submitted after the first run.
id_interval and returned by the exported token() function, making it possible to cancel the refresh cycle if needed.
Token Storage
After each successful response from the token endpoint, both tokens are written directly into the Node.js process environment:Using the Access Token in API Requests
Every outgoing request to the Factus API attaches the in-memory token as aBearer credential:
src/controllers/factura.controller.js inside the request_fact() helper.
API Base URL
Use
https://api-sandbox.factus.com.co as url_api during development and testing. Switch to https://api.factus.com.co when deploying to production. The only change required is the value of the url_api environment variable — no code changes are needed.Required Environment Variables
| Variable | Required | Description |
|---|---|---|
url_api | ✅ Yes | Factus API base URL (sandbox or production) |
client_id | ✅ Yes | OAuth 2.0 client identifier issued by Factus |
client_secret | ✅ Yes | OAuth 2.0 client secret issued by Factus |
email | ✅ Yes | Factus account email — used as username in password grant |
password | ✅ Yes | Factus account password — used in password grant |
refresh_token | ⬜ Optional | Leave blank on first run; written automatically at runtime |
src/auth/token.js — Full Source
src/auth/token.js
