Authentication

To communicate with the Getpaid API, you should obtain an OAuth 2.0 access token using the client ID and client secret provided during the client credentials creation for the API. See the authentication endpoints in the API reference for more details.

1. Make a POST https://auth.getpaid.io/oauth/token request providing the appropriate credentials, and audience for the target environment, live or sandbox:

   Live

   POST https://auth.getpaid.io/oauth/token

   {
     "client_id": "{{client_id}}",
     "client_secret": "{{client_secret}}",
     "audience": "https://api.getpaid.io",
     "grant_type": "client_credentials"
   }

   Sandbox

   POST https://auth.getpaid.io/oauth/token

   {
     "client_id": "{{client_id}}",
     "client_secret": "{{client_secret}}",
     "audience": "https://api.sandbox.getpaid.io",
     "grant_type": "client_credentials"
   }

2. This will return a Bearer access token in JSON Web Token (JWT) format in the access_token field which you should use in the Authorization header of any subsequent Getpaid API requests.

   200 OK

   {
     "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
     "scope": "accounts:read documents:read_write payments:read",
     "expires_in": 3600,
     "token_type": "Bearer"
   }

3. The access token will be valid for the length of time in seconds indicated by the expires_in field. When it expires, you should request a new one.

Authorization scopes

Getpaid API implements a fine-grained authorization mechanism based on scopes to allow you to limit the access of the access token to the resources you need as minimize the consequences of a security breach.

Every endpoint in the API reference has a list of the required scopes to access it. For example, to initiate a payment checkout the scope payments:read_write scope is required.