API security

Your DevApp identity will be validated via set of credentials - Client ID and Client Secret. These credentials can be found in your DevApp Configuration:

Getting Access Token

Access Tokens are required to authenticate any ConnectPay API call.

To exchange previously received authCode to Access Token, you should make Get Access Token API call from your backend server.

POST /auth/v1/oauth2/token HTTP/1.1

Host: api-stage.connectpay.com
Content-Type: application/x-www-form-urlencoded
X-Request-ID: 5800bbfa-d4b3-410e-a448-f50f4d4a908c
Authorization: Basic ZWM5M...4YQ==
Content-Length: 71

grant_type=authorization_code&code=1f9ae0a1-21f9-145c-9939-75c281a3b06b

After DevApp identification and AuthCode validation, API will respond with pair of Access Token and Refresh Token. If you need to identify Customer, you can use client_customer_name property.

{
    "token_type": "Bearer",
    "access_token": "a6bcc5df-6c04-345b-b55c-c58c16b8cd40",
    "refresh_token": "e6e0cb4f-d822-3809-9981-588291bee1d1",
    "expires_in": 3600,
    "client_customer_name": "Mo********co",
    "scope": "ob-ps:authz-nosca ob-ps ob-as",
    "refresh_token_expires_in": "2592000"
}
 

Detailed API documentation can be found here.

Token rotation

Access Tokens are short lived - please use long lived Refresh Tokens to mint new Access Tokens when required. Same goes for Refresh Tokens - mint new one, when existing is near the end of life.
If Refresh Token would expire, you will have to go though all auth flow again.

Detailed API documentation can be found here.

Token revocation

To revoke Refresh Token, please write an email to ConnectPay development support . In 2021 Q4 we will add functionality to revoke tokens by yourself.