Access Tokens
API security
Your DevApp identity will be validated via set of credentials - Client ID and Client Secret. These credentials can be found in your DevApp Configuration:
Getting Access Token
Access Tokens are required to authenticate any ConnectPay API call.
To exchange previously received authCode
to Access Token
, you should make Get Access Token API call from your backend server.
POST /auth/v1/oauth2/token HTTP/1.1 Host: api-stage.connectpay.com Content-Type: application/x-www-form-urlencoded X-Request-ID: 5800bbfa-d4b3-410e-a448-f50f4d4a908c Authorization: Basic ZWM5M...4YQ== Content-Length: 71 grant_type=authorization_code&code=1f9ae0a1-21f9-145c-9939-75c281a3b06b
After DevApp identification and AuthCode
validation, API will respond with pair of Access Token
and Refresh Token
. If you need to identify Customer, you can use client_customer_name
property.
{ "token_type": "Bearer", "access_token": "a6bcc5df-6c04-345b-b55c-c58c16b8cd40", "refresh_token": "e6e0cb4f-d822-3809-9981-588291bee1d1", "expires_in": 3600, "client_customer_name": "Mo********co", "scope": "ob-ps:authz-nosca ob-ps ob-as", "refresh_token_expires_in": "2592000" }
Detailed API documentation can be found here.
Token rotation
Access Tokens are short lived - please use long lived Refresh Tokens to mint new Access Tokens when required. Same goes for Refresh Tokens - mint new one, when existing is near the end of life.
If Refresh Token would expire, you will have to go though all auth flow again.
Detailed API documentation can be found here.