Out-of-band, the Receiver platform generates TOKEN_A and securely shares it (along with its versions endpoint URL) with the Sender platform via email, portal, or API key exchange.
The Sender uses TOKEN_A as the Bearer token to GET the Receiver's versions endpoint and then GET the matching version details endpoint to discover module URLs including the credentials module URL.
The Sender generates TOKEN_B (a new token it will accept from the Receiver for return calls) and POSTs to the Receiver's credentials module URL with Authorization: Token TOKEN_A; the POST body contains TOKEN_B, the Sender's own versions URL, and party/country codes.
The Receiver, upon receiving the POST, uses TOKEN_B to GET the Sender's versions and version details endpoints to discover the Sender's module URLs; it then generates TOKEN_C (the long-lived operational token for the Sender to use in all future requests).
The Receiver returns HTTP 200 with a credentials object containing TOKEN_C, its own versions URL, and party/country codes; TOKEN_A is now invalidated and MUST NOT be reused.
Going forward, the Sender includes Authorization: Token TOKEN_C in all subsequent OCPI requests to the Receiver; TOKEN_B is used by the Receiver for its outbound calls to the Sender.
Known gotchas
TOKEN_B is the temporary token sent by the Sender during registration for the Receiver to use on return calls; TOKEN_C is the long-lived credential returned by the Receiver for the Sender's future requests — confusing the two causes 401 errors in production.
TOKEN_A must be treated as single-use and discarded after the credentials POST completes; reusing TOKEN_A after TOKEN_C has been issued is non-compliant and most platforms will reject it.
Both parties must complete the GET of each other's versions endpoint during the handshake (mutual discovery); skipping the Receiver's GET of the Sender's modules results in an incomplete connection where the Receiver cannot initiate push calls.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp