Skip to main content

Issue an Access Token

POST 
/auth/brands/:brandIdentity/token

Overview

The token endpoint is used by the client to obtain an access token utilizing the following grant types:

  • Client Credentials
  • Refresh Token
  • Token Exchange
  • Password

Since the requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the client server MUST use TLS when sending requests to it.

Basic Authentication

Basic Authentication is used for authenticating a client. In this mechanism, the client sends its client ID and client secret as part of the Authorization header in an HTTP request. The The Authorization header contains a Base64-encoded string of {URL-encoded-client-ID}:{URL-encoded-client-secret}.

SCA Authentication

The necessity for SCA Authentication arises when customers need to adhere to the particular regulations outlined in the PSD2 directive.

The HTTP WWW-Authenticate response header defines the SCA authentication methods that might be used to gain access to the specific resource:

HTTP/2 401 Unauthorized
WWW-Authenticate: SCA realm="Authentication" auth-param1="ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGMyYzAtY2NlLTRiMzYtOTdlYy0yODFjOGY1ZDc0M2MiLAogICAgIndhbGxldE9wZXJhdGlvbklkIjogImE1ODY1ZmQ2LTE4YzItNDVhOC05OTUzLTFjMDBlYWMzNmMzNiIsCiAgICAiYXV0aGVudGljYXRpb25Nb2RlIjogIk9VVFNPVVJDRUQiLAogICAgImF2YWlsYWJsZVZlcmlmaWNhdGlvbnMiOiBbCiAgICAgIHsKICAgICAgICAibWV0aG9kIjogIlBJTiIKICAgICAgfSwKICAgICAgewogICAgICAgICJtZXRob2QiOiAiT1RQIiwKICAgICAgICAiY2hhbm5lbCI6ICJTTVMiCiAgICAgIH0KICAgIF0sCiAgICAiY3JlYXRpb25UaW1lIjogIjIwMjEtMDctMTVUMTc6NTQ6MTJaIiwKICAgICJleHBpcmF0aW9uVGltZSI6ICIyMDIxLTA3LTE1VDE4OjA5OjEyWiIKICB9Cn0="

Upon the successful completion of the SCA authentication process, the user should re-request the same wallet resource. This should be done using the SCA-Authorization request header:

POST /digitalwallets/v1/auth/brands/{brandIdentity}/token HTTP/2
Host: api.paysafe.com
SCA-Authorization: ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGNkMmMtMGNjZS00YjM2LTk3ZWMtMjgxYzhmNWQ3NDNjIiwKICAgICJ3YWxsZXRPcGVyYXRpb25JZCI6ICJhNTg2NWZkNi0xOGMyLTQ1YTgtOTk1My0xYzAwZWFjMzZjMzYiCn0=

More details can be found in Strong Customer Authentication.

Request

Path Parameters

    brandIdentity stringrequired

    The identity of the partner using the Embedded Wallet.

    Example: liberty

Body

required

Token request by which a client application requests an access token from the Paysafe authorization server.

    grant_type

    string

    required

    Possible values: [CLIENT_CREDENTIALS, REFRESH_TOKEN, TOKEN_EXCHANGE, PASSWORD]

    It is used in token requests to specify the type of authorization grant being utilized. The acceptable values are:

    • client_credentials: client credentials grant type

    • refresh_token: refresh token grant type

    • urn:ietf:params:oauth:grant-type:token-exchange: token exchange grant type

    • password: resource owner password (or "password") grant type

    scope string

    The scope of the requested access token. Can be used to restrict the new access token to a subset of the scope allowed to the client and token type.

Responses

OK

Schema

    access_token stringrequired

    The newly-obtained access token.

    expires_in number

    The lifetime of the access token, in seconds.

    refresh_token string

    The refresh token used to obtain a new access token when the original token expires.

    refresh_expires_in number

    The lifetime of the refresh token, in seconds.

    token_type stringrequired

    Possible values: [Bearer]

    The type of the token. Currently only bearer tokens are emitted.

    id_token string

    The user identity token, proving that the user has been authenticated.

    scope string

    The effective scope of the newly-obtained token.

Loading...