All routes that require authentication in API makes use of JWT based tokens. JWT.IO provides a useful tool to inspect the payload within a JWT which will provide various useful contexual information. For users of the API, this would be in the form of an application token.

Token secret

An application token consists of two parts, the token and a secret. It is possible to look up the JWTs that have been previously generated, but the secret will only be shown the first time a JWT is generated.

The secret should be considered sensitive information and not be exposed to the internet by embedding it on front end code that run on the users’ browsers. It is designed to be used by back end services to automate various tasks, such as generating reports or making charges on channels other than a browser.

Token types

A merchant may create two types of application tokens, a merchant type token and a store type token.

A merchant type token does not have the ability to create transaction tokens and charges but are able to access all other routes and is intended for automated services to retrieve information that a merchant would normally have access to. It is also expected to be used in conjunction with a secret.

A store type token is the same as a merchant type token but includes the ability to create transaction tokens and charges. This token should be used with the checkout widget without the secret or by services that need the ability to charge users through channels other than a browser.

When using a store type token, the valid domains for which the token can be used without a secret should be set to the domains the token is intended to be used from. This is a security feature to prevent a token from being used on an unauthorized site. In addition, store type tokens have the option of being used for test or live charges. When developing an application that uses API services, please use a test mode – store type token to prevent unintended charges from occurring.

Creating application tokens

Application tokens can be created via the merchant console (see Guide).

Using an application token

To attach an application token to your request, add the following string to the Authorization request http header, replacing {jwt} and/or {secret} with the relevant strings provided when generating the token.

// Without secret
Bearer {jwt}

// With secret
Bearer {secret}.{jwt}

The number of routes and features that is accessible without a secret is very limited and will be noted where applicable. This is because it is designed to be safely exposed on the internet without exposing sensitive information.

All requests must be sent over HTTPS.