API security

Your DevApp identity will be validated via set of credentials - Client ID and Client Secret. These credentials can be found in your DevApp Configuration:

Getting Access Token

Access Tokens are required to authenticate any ConnectPay API call.

To exchange previously received authCode to Access Token, you should make Get Access Token API call from your backend server.

POST /auth/v1/oauth2/token HTTP/1.1

Host: api-stage.connectpay.com
Content-Type: application/x-www-form-urlencoded
X-Request-ID: 5800bbfa-d4b3-410e-a448-f50f4d4a908c
Authorization: Basic ZWM5M...4YQ==
Content-Length: 71

grant_type=authorization_code&code=1f9ae0a1-21f9-145c-9939-75c281a3b06b

After DevApp identification and AuthCode validation, API will respond with pair of Access Token and Refresh Token. If you need to identify Customer, you can use client_customer_name property.

{
    "token_type": "Bearer",
    "access_token": "a6bcc5df-6c04-345b-b55c-c58c16b8cd40",
    "refresh_token": "e6e0cb4f-d822-3809-9981-588291bee1d1",
    "expires_in": 3600,
    "client_customer_name": "Mo********co",
    "scope": "ob-ps:authz-nosca ob-ps ob-as",
    "refresh_token_expires_in": "2592000"
}
 

Detailed API documentation can be found here.

Token rotation

Access Tokens are short lived - please use long lived Refresh Tokens to mint new Access Tokens when required. Same goes for Refresh Tokens - mint new one, when existing is near the end of life.
If Refresh Token would expire, you will have to go though all auth flow again.

• Access Token's lifetime is 1 hour
• Refresh Token's lifetime is 30 days.

Detailed API documentation can be found here.

Token revocation