Issue an Access Token
POST/auth/brands/:brandIdentity/token
Overview
The token endpoint is used by the client to obtain an access token utilizing the following grant types:
- Client Credentials
- Refresh Token
- Token Exchange
- Password
- Authorization Code
Since the requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the client server MUST use TLS when sending requests to it.
Basic Authentication
Basic Authentication is used for authenticating a client. In this mechanism, the client sends its client ID and
client secret as part of the Authorization header in an HTTP request. The Authorization header contains a
Base64-encoded string of {URL-encoded-client-ID}:{URL-encoded-client-secret}
.
SCA Authentication
The necessity for SCA Authentication arises when customers need to adhere to the particular regulations outlined in the PSD2 directive.
The HTTP WWW-Authenticate
response header defines the SCA authentication methods that might be used to gain
access to the specific resource:
HTTP/2 401 Unauthorized
WWW-Authenticate: SCA realm="Authentication" auth-param1="ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGMyYzAtY2NlLTRiMzYtOTdlYy0yODFjOGY1ZDc0M2MiLAogICAgIndhbGxldE9wZXJhdGlvbklkIjogImE1ODY1ZmQ2LTE4YzItNDVhOC05OTUzLTFjMDBlYWMzNmMzNiIsCiAgICAiYXV0aGVudGljYXRpb25Nb2RlIjogIk9VVFNPVVJDRUQiLAogICAgImF2YWlsYWJsZVZlcmlmaWNhdGlvbnMiOiBbCiAgICAgIHsKICAgICAgICAibWV0aG9kIjogIlBJTiIKICAgICAgfSwKICAgICAgewogICAgICAgICJtZXRob2QiOiAiT1RQIiwKICAgICAgICAiY2hhbm5lbCI6ICJTTVMiLAogICAgICAgICJ0YXJnZXQiOiAiam8qKipAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgIF0sCiAgICAiY3JlYXRpb25UaW1lIjogIjIwMjEtMDctMTVUMTc6NTQ6MTJaIiwKICAgICJleHBpcmF0aW9uVGltZSI6ICIyMDIxLTA3LTE1VDE4OjA5OjEyWiIKICB9Cn0="
Upon the successful completion of the SCA authentication process, the user should re-request the same wallet
resource. This should be done using the SCA-Authorization
request header:
POST /digitalwallets/v1/auth/brands/{brandIdentity}/token HTTP/2
Host: api.paysafe.com
SCA-Authorization: ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGNkMmMtMGNjZS00YjM2LTk3ZWMtMjgxYzhmNWQ3NDNjIiwKICAgICJ3YWxsZXRPcGVyYXRpb25JZCI6ICJhNTg2NWZkNi0xOGMyLTQ1YTgtOTk1My0xYzAwZWFjMzZjMzYiCn0=
More details can be found in Strong Customer Authentication.
Attestation Authentication Feature in development
The necessity for ATT Authentication arises when customers need to adhere to the particular secuirty standards.
The HTTP WWW-Authenticate
response header defines the ATT authentication specifics that might be used to gain access to the specific resource:
HTTP/2 401 Unauthorized
WWW-Authenticate: ATT realm="Authentication" auth-param1="ewogICAgImF0dGVzdGF0aW9uRGV0YWlscyI6IHsKICAgICAgICAiZGV2aWNlSWQiOiAiODk1NEJGRjItNTc3NC00Q0VCLTkwMTctRjhBNzk3RUJFODk3IiwKICAgICAgICAid29ya2Zsb3dJZCI6ICJlYTk4Y2FhNi1lODc3LTQwY2ItODIwZS0wMTRkYWI4Nzg2YWYiLAogICAgICAgICJvc05hbWUiOiAiQU5EUk9JRCIsCiAgICAgICAgIndhbGxldE9wZXJhdGlvbiI6ICJBVVRIRU5USUNBVElPTiIsCiAgICAgICAgImF0dGVzdGF0aW9uTW9kZSI6ICJSRVFVSVJFRCIsCiAgICAgICAgIm5vbmNlIjogImUzZDljM2M0LWUwYzktNGZkYS1iZDU1LWUwODBlN2M4Mzc4MyIsCiAgICAgICAgImV4cGlyYXRpb25UaW1lIjogIjIwMTktMDgtMjRUMTQ6MTU6MjJaIgogICAgfQp9"
Upon the successful completion of the ATT authentication process, the system should re-request the same wallet resource. This should be done using the ATT-Authorization request header:
POST /digitalwallets/v1/auth/brands/{brandIdentity}/token HTTP/2
Host: api.paysafe.com
ATT-Authorization: ewogICAgImF0dGVzdGF0aW9uRGV0YWlscyI6IHsKICAgICAgICAiZGV2aWNlSWQiOiAiODk1NEJGRjItNTc3NC00Q0VCLTkwMTctRjhBNzk3RUJFODk3IiwKICAgICAgICAiYXR0ZXN0YXRpb25LZXlJZCI6ICJRV2s2bHhmaUFDSDlWaU94SDlYdFZ4K2h3Tk1NMXcrUmFET1VvL3JiYk84PSIsCiAgICAgICAgImF0dGVzdGF0aW9uVG9rZW4iOiAiZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5IiwKICAgICAgICAidG14U2Vzc2lvbklkIjogImJlMDY2NWY3LTE5OTAtNGQ2Ni04NDY5LWFjYWQ0ZTk3NmFiOSIsCiAgICAgICAgIm9zTmFtZSI6ICJBTkRST0lEIgogICAgfQp9
Request
Responses
- 200
- 400
- 401
- 403
- 405
- 409
- 500
- 503
OK
Bad request
Unauthorized
Response Headers
Specifies the necessity of employing the SCA
security scheme within the specific wallet domain.
Forbidden
Method Not Allowed
Conflict
Internal Server Error
Service Unavailable