Contents x
      Authorization
      • 14 Feb 2025
      • 1 Minute to read
      • Dark
        Light
      Contents

      Authorization

      • Updated on 14 Feb 2025
      • 1 Minute to read
      • Dark
        Light
      Article summary

      All requests to the Flex Pay’s APIs (both marketing and checkout REST APIs) require an access_token sent in the request headers. You can retrieve your access_token by making a request to our login service & providing your Upgrade login details (provided to your team by your Flex Pay Integration Lead during the onboarding/kick-off process).

      If you are having trouble with your credentials, please get in touch, by contacting your Account Manager and/or Integration Lead.

      Flex Pay’s APIs utilize the OAuth 2.0 protocol for request authorization. An access token must be included in the Authorization HTTP header for all API requests.

      API requires an Access Token.png

      Client IDs and client secrets are generated on a per-merchant and per-environment basis. To be issued pre-production and production credentials, a comprehensive list of server IP addresses must be provided for security review. Following approval, the approved list of IP addresses will be added to the allow list, and API requests will be permitted.

      Obtaining a Token

      curl --location --request POST '{{server_url}}/api/auth/v1/oauth/token?grant_type=client_credentials' \

      --header 'Authorization: Basic {{base64_encoded_credentials}}'

      Using a Token

      The access token obtained by calling the authorization server must be used in all API calls by using the Authorization: Bearer {{token}} in the HTTP header.

      curl --location '{{server_url}}/api/checkout/v1/orders' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{token}}' \
--data-raw '{{json}}'

      Considerations

      All access tokens generated by the authorization server have a set expiration (default 30 minutes). It is therefore recommended to request a new access token shortly before the current access token is set to expire.

      It is important that any credentials or sensitive data shared is kept safe and confidential in order to prevent unauthorized use or disruption of services. Some recommended best practices include:

      Share secrets securely: Avoid sharing secrets through insecure communication channels like email or unencrypted HTTP.

      Store secrets securely: Avoid storing secrets in insecure storage solutions like code repositories or client-side code where they can be easily accessed. Some recommended storage solutions include Secrets Managers, Key Management Systems (KMS), and encrypted databases.

      Was this article helpful?
      What's Next