Authentication
We use three different types of authentication:
- access token
- basic authentication
- signature
For new integrations, please use the access token method.
Access Token
Requirements
First, contact us to get both a client API key and a secret.
WARNING
⚠️ Ensure best practices using your credentials
- Keep your API key and secret private. Never expose them in public-facing applications such as frontend JavaScript, mobile apps, or shared code repositories.
- Do not log your credentials or store them insecurely.
- Always use a secure HTTPS connection and verify the correct API endpoint URL.
- If your credentials are accidentally exposed or compromised, contact us immediately.
See our environments to get the URL of the API.
1. Authenticate to get an Access Token
Once you have your key and secret, make a POST request to /api/token, authenticating using HTTP Basic Auth:
➡️ your API key is the username and your API secret is the password.
http
URL: POST /api/token
Host: API_URL
Content-Type: application/x-www-form-urlencoded
Authorization: Basic eW91cl9rZXk6eW91cl9zZWNyZXQ=The body must contain the required form parameters:
| Parameter | Description |
|---|---|
grant_type | Must be exactly: client_credentials |
Example (with curl):
curl -X POST <API_URL>/api/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic $(echo -n your_key:your_secret | base64)" \
-d "grant_type=client_credentials"The response with a status code = 200 will provide a JSON with the access token:
json
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1...",
"token_type": "Bearer",
"expires_in": 600
}This token is valid for 10 minutes (600 seconds). When the token expires, call again this endpoint to get a new one.
⚠️ Keep this token secret as well. Do not log it.
2. Use the Access Token
Once you have a valid access token, include the following Authorization header when making a request to the API:
Authorization: Bearer <access_token>
For example:
http
GET /api/a_secured_endpoint HTTP/1.1
Host: API_URL
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1...Basic authentication
Some endpoints are protected using basic authentication.
Your merchant dashboard credentials are used for basic authentication.
For example, [email protected] with john123 password will lead to this header:
sh
Basic cmFuZG9tQGRvbWFpbi5jb206am9objEyMw==You can also use Postman to make your call (Basic auth in the autorization tab).
Signature
You can find an explanation there.
There are also some examples in the documentation: