Access Tokens
API security
Your DevApp identity will be validated via set of credentials - Client ID and Client Secret. These credentials can be found in your DevApp Configuration:
Getting Access Token
Access Tokens are required to authenticate any ConnectPay API call.
To exchange previously received authCode
to Access Token
, you should make Get Access Token API call from your backend server.
POST /auth/v1/oauth2/token HTTP/1.1 Host: api-stage.connectpay.com Content-Type: application/x-www-form-urlencoded X-Request-ID: 5800bbfa-d4b3-410e-a448-f50f4d4a908c Authorization: Basic ZWM5M...4YQ== Content-Length: 71 grant_type=authorization_code&code=1f9ae0a1-21f9-145c-9939-75c281a3b06b
After DevApp identification and AuthCode
validation, API will respond with pair of Access Token
and Refresh Token
. If you need to identify Customer, you can use client_customer_name
property.
{ "token_type": "Bearer", "access_token": "a6bcc5df-6c04-345b-b55c-c58c16b8cd40", "refresh_token": "e6e0cb4f-d822-3809-9981-588291bee1d1", "expires_in": 3600, "client_customer_name": "Mo********co", "scope": "ob-ps:authz-nosca ob-ps ob-as", "refresh_token_expires_in": "2592000" }
Detailed API documentation can be found here.
Token rotation
Access Tokens are short lived - please use long lived Refresh Tokens to mint new Access Tokens when required. Same goes for Refresh Tokens - mint new one, when existing is near the end of life.
If Refresh Token would expire, you will have to go though all auth flow again.
- Access Token's lifetime is 1 hour
- Refresh Token's lifetime is 30 days.
Detailed API documentation can be found here.