API - How to get a token

Endpoint

POST /oauth2/token

🔐 Why do you need an access token?

Our API is protected using an authentication mechanism based on the Client Credentials flow. This means that, in order to consume any of the protected endpoints, you must include a valid access token in every request.

This token confirms that the client is authorized to interact with our services and helps ensure the overall security of the ecosystem.

How to request access credentials

If you don’t have the necessary credentials to obtain a token (i.e., clientId and clientSecret), you must request them from our technical support team.

📬 Support email: [email protected] Please include in your request the identifier of your merchant and the environment (production or development) for which you need access.

How to obtain the token once you have the credentials

Once you have your clientId and clientSecret, you can make a request to the authentication endpoint to retrieve your access token.

🔗 Authentication Endpoint (Production)

https://wipay-gateway.auth.eu-west-1.amazoncognito.com/oauth2/token

🔗 Authentication Endpoint (Development)

https://wipay-gateway-stage.auth.eu-west-1.amazoncognito.com/oauth2/token

Headers

Name

Value

Details

Content-Type

application/x-www-form-urlencoded

Authorization

Basic <Base64(clientId:clientSecret)>

In order to generate the header value for Authorization, you must enconde the String clientId:clientSecret in base64.

How to generate the `Authorization` header value

To authenticate your request when obtaining the token, you must include an Authorization header with your credentials encoded.

What does this mean?

You need to take your clientId and clientSecret (provided by support), and join them in the following format:

clientId:clientSecret

Then, encode this string in base64. The result will be used as the value of the Authorization header.

Body:

Name

Value

grant_type

client_credentials

Example using `curl`

curl -X POST \
  https://wipay-gateway-stage.auth.eu-west-1.amazoncognito.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic <Base64(clientId:clientSecret)>" \
  -d "grant_type=client_credentials"

Expected response

{
  "access_token": "eyJraWQiOiJLT3hE...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

The access_token is the value you must include in the Authorization header for every subsequent API request:

Name

Value

Authorization

Bearer <access_token>

⚠️ Important notes

The token has a limited lifetime (expires_in in seconds). Once it expires, you must request a new one.
This flow is not intended for end users, but for application-to-application or backend integrations.
Never expose or share your credentials (clientId / clientSecret) in frontend code or public repositories.

PreviousAPI - Getting Started NextAPI - Link

Last updated 5 months ago

Endpoint

🔐 Why do you need an access token?

How to request access credentials

How to obtain the token once you have the credentials

🔗 Authentication Endpoint (Production)

🔗 Authentication Endpoint (Development)

Headers

How to generate the Authorization header value

Example using curl

Expected response

⚠️ Important notes

How to generate the `Authorization` header value

Example using `curl`