Issue an Access Token
POST/auth/brands/:brandIdentity/token
Overview
The token endpoint is used by the client to obtain an access token utilizing the following grant types:
- Client Credentials
- Refresh Token
- Token Exchange
- Password
Since the requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the client server MUST use TLS when sending requests to it.
Basic Authentication
Basic Authentication is used for authenticating a client. In this mechanism, the client sends its client ID and
client secret as part of the Authorization header in an HTTP request. The The Authorization header contains a
Base64-encoded string of {URL-encoded-client-ID}:{URL-encoded-client-secret}
.
SCA Authentication
The necessity for SCA Authentication arises when customers need to adhere to the particular regulations outlined in the PSD2 directive.
The HTTP WWW-Authenticate
response header defines the SCA authentication methods that might be used to gain
access to the specific resource:
HTTP/2 401 Unauthorized
WWW-Authenticate: SCA realm="Authentication" auth-param1="ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGMyYzAtY2NlLTRiMzYtOTdlYy0yODFjOGY1ZDc0M2MiLAogICAgIndhbGxldE9wZXJhdGlvbklkIjogImE1ODY1ZmQ2LTE4YzItNDVhOC05OTUzLTFjMDBlYWMzNmMzNiIsCiAgICAiYXV0aGVudGljYXRpb25Nb2RlIjogIk9VVFNPVVJDRUQiLAogICAgImF2YWlsYWJsZVZlcmlmaWNhdGlvbnMiOiBbCiAgICAgIHsKICAgICAgICAibWV0aG9kIjogIlBJTiIKICAgICAgfSwKICAgICAgewogICAgICAgICJtZXRob2QiOiAiT1RQIiwKICAgICAgICAiY2hhbm5lbCI6ICJTTVMiCiAgICAgIH0KICAgIF0sCiAgICAiY3JlYXRpb25UaW1lIjogIjIwMjEtMDctMTVUMTc6NTQ6MTJaIiwKICAgICJleHBpcmF0aW9uVGltZSI6ICIyMDIxLTA3LTE1VDE4OjA5OjEyWiIKICB9Cn0="
Upon the successful completion of the SCA authentication process, the user should re-request the same wallet
resource. This should be done using the SCA-Authorization
request header:
POST /digitalwallets/v1/auth/brands/{brandIdentity}/token HTTP/2
Host: api.paysafe.com
SCA-Authorization: ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGNkMmMtMGNjZS00YjM2LTk3ZWMtMjgxYzhmNWQ3NDNjIiwKICAgICJ3YWxsZXRPcGVyYXRpb25JZCI6ICJhNTg2NWZkNi0xOGMyLTQ1YTgtOTk1My0xYzAwZWFjMzZjMzYiCn0=
More details can be found in Strong Customer Authentication.
Request
Path Parameters
The identity of the partner using the Embedded Wallet.
- application/x-www-form-urlencoded
Body
required
Token request by which a client application requests an access token from the Paysafe authorization server.
-
client_credentials
: client credentials grant type -
refresh_token
: refresh token grant type -
urn:ietf:params:oauth:grant-type:token-exchange
: token exchange grant type -
password
: resource owner password (or "password") grant type - CLIENT_CREDENTIALS
- REFRESH_TOKEN
- TOKEN_EXCHANGE
- PASSWORD
grant_type
string
required
Possible values: [CLIENT_CREDENTIALS
, REFRESH_TOKEN
, TOKEN_EXCHANGE
, PASSWORD
]
It is used in token requests to specify the type of authorization grant being utilized. The acceptable values are:
The scope of the requested access token. Can be used to restrict the new access token to a subset of the scope allowed to the client and token type.
The refresh_token
previously provided to the client.
The scope of the requested access token. Can be used to restrict the new access token to a subset of the scope allowed to the client and token type.
A security token that represents the identity of the party on behalf of whom the request is being made.
The scope of the requested access token. Can be used to restrict the new access token to a subset of the scope allowed to the client and token type.
Unique identifier assigned to individual users or devices, used to create their digital identity.
The username that is assigned to the user's account.
The password that is associated with the user's account.
The scope of the requested access token. Can be used to restrict the new access token to a subset of the scope allowed to the client and token type.
Unique identifier assigned to individual users or devices, used to create their digital identity.
Responses
- 200
- 400
- 401
- 409
- 500
- 503
OK
- application/json
- Schema
- Example (from schema)
- CLIENT_CREDENTIALS
- REFRESH_TOKEN
- TOKEN_EXCHANGE
- PASSWORD
Schema
The newly-obtained access token.
The lifetime of the access token, in seconds.
The refresh token used to obtain a new access token when the original token expires.
The lifetime of the refresh token, in seconds.
Possible values: [Bearer
]
The type of the token. Currently only bearer tokens are emitted.
The user identity token, proving that the user has been authenticated.
The effective scope of the newly-obtained token.
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjb0ZFWEluRGNHamltcTJQUXhaSDJjbXRpYmd1eDJhOGhYLTZxQ0JDT0xzIn0...",
"expires_in": 900,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3MDAzNjUwZC01NGJkLTRiNjEtOGZjNC02YzVjZjRlOWI3YjcifQ...",
"refresh_expires_in": 1800,
"token_type": "Bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjb0ZFWEluRGNHamltcTJQUXhaSDJjbXRpYmd1eDJhOGhYLTZxQ0JDT0xzIn0...",
"scope": "whitelabelWallet"
}
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjb0ZFWEluRGNHamltcTJQUXhaSDJjbXRpYmd1eDJhOGhYLTZxQ0JDT0xzIn0...",
"expires_in": 900,
"refresh_expires_in": 0,
"token_type": "Bearer",
"scope": "whitelabelWallet"
}
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjb0ZFWEluRGNHamltcTJQUXhaSDJjbXRpYmd1eDJhOGhYLTZxQ0JDT0xzIn0...",
"expires_in": 900,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3MDAzNjUwZC01NGJkLTRiNjEtOGZjNC02YzVjZjRlOWI3YjcifQ...",
"refresh_expires_in": 1800,
"token_type": "Bearer",
"scope": "whitelabelWallet"
}
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjb0ZFWEluRGNHamltcTJQUXhaSDJjbXRpYmd1eDJhOGhYLTZxQ0JDT0xzIn0...",
"expires_in": 900,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3MDAzNjUwZC01NGJkLTRiNjEtOGZjNC02YzVjZjRlOWI3YjcifQ...",
"refresh_expires_in": 1800,
"token_type": "Bearer",
"scope": "whitelabelWallet"
}
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjb0ZFWEluRGNHamltcTJQUXhaSDJjbXRpYmd1eDJhOGhYLTZxQ0JDT0xzIn0...",
"expires_in": 900,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3MDAzNjUwZC01NGJkLTRiNjEtOGZjNC02YzVjZjRlOWI3YjcifQ...",
"refresh_expires_in": 1800,
"token_type": "Bearer",
"scope": "whitelabelWallet"
}
Bad request
- application/json
- Schema
- Example (from schema)
- AUTHENTICATION_FAILURE
- MISSING_MANDATORY_FIELD
Schema
Array [
]
error
object
Additional details about the error.
The error code.
A description of the error.
Details of any parameter value errors.
fieldErrors
object[]
Identifies the JSON request field.
The problem associated with the field.
{
"error": {
"code": "string",
"message": "string",
"details": [
"string"
],
"fieldErrors": [
{
"field": "string",
"error": "string"
}
]
}
}
{
"error": {
"code": "DW-AUTHENTICATION-FAILURE",
"message": "The authentication process was unsuccessful.",
"details": [
"The authentication process was unsuccessful."
]
}
}
{
"error": {
"code": "5068",
"message": "Field error(s)",
"details": [
"Either you submitted a request that is missing a mandatory field or the value of a field does not match the format expected."
],
"fieldErrors": [
{
"field": "grant_type",
"error": "grant_type must not be null"
}
]
}
}
Unauthorized
Response Headers
WWW-Authenticate
string
Specifies the necessity of employing the
SCA
security scheme within the specific wallet domain.
- application/json
- Schema
- Example (from schema)
- SCA_VERIFICATION_FAILED
Schema
Array [
]
error
object
Additional details about the error.
The error code.
A description of the error.
Details of any parameter value errors.
fieldErrors
object[]
Identifies the JSON request field.
The problem associated with the field.
{
"error": {
"code": "string",
"message": "string",
"details": [
"string"
],
"fieldErrors": [
{
"field": "string",
"error": "string"
}
]
}
}
{
"error": {
"code": "DW-SCA-VERIFICATION-FAILED",
"message": "The wallet operation was unsuccessful.",
"details": [
"The wallet operation was declined because the SCA requirement is not completed."
]
}
}
Conflict
- application/json
- Schema
- Example (from schema)
- AUTHENTICATION_NOT_ALLOWED
Schema
Array [
]
error
object
Additional details about the error.
The error code.
A description of the error.
Details of any parameter value errors.
fieldErrors
object[]
Identifies the JSON request field.
The problem associated with the field.
{
"error": {
"code": "string",
"message": "string",
"details": [
"string"
],
"fieldErrors": [
{
"field": "string",
"error": "string"
}
]
}
}
{
"error": {
"code": "DW-AUTHENTICATION-NOT-ALLOWED",
"message": "The authentication process is not allowed.",
"details": [
"The authentication process is not allowed."
]
}
}
Internal Server Error
- application/json
- Schema
- Example (from schema)
- INTERNAL_SERVER_ERROR
Schema
Array [
]
error
object
Additional details about the error.
The error code.
A description of the error.
Details of any parameter value errors.
fieldErrors
object[]
Identifies the JSON request field.
The problem associated with the field.
{
"error": {
"code": "string",
"message": "string",
"details": [
"string"
],
"fieldErrors": [
{
"field": "string",
"error": "string"
}
]
}
}
{
"error": {
"code": "DW-INTERNAL-SERVER-ERROR",
"message": "Internal Server Error",
"details": [
"There was an error while processing the operation"
]
}
}
Service Unavailable
- application/json
- Schema
- Example (from schema)
- SERVICE_UNAVAILABLE
Schema
Array [
]
error
object
Additional details about the error.
The error code.
A description of the error.
Details of any parameter value errors.
fieldErrors
object[]
Identifies the JSON request field.
The problem associated with the field.
{
"error": {
"code": "string",
"message": "string",
"details": [
"string"
],
"fieldErrors": [
{
"field": "string",
"error": "string"
}
]
}
}
{
"error": {
"code": "DW-SERVICE-UNAVAILABLE",
"message": "Service Unavailable",
"details": [
"Service Unavailable"
]
}
}