Authentication

All Autopay APIs are secured using OAuth.

Getting access

  1. Contact your Autopay representative to acquire the Client Credentials (Client ID and Secret) for your application.
  2. Use the Get access token endpoint to request a short term access token using the Client Credentials.
  3. Your application must send this token in the HTTP Authorization header as a Bearer token when making requests to Autopay APIs:
    Authorization: Bearer eyJxxxxxxxxxxyHI
  4. Each access token expires after a short period of time, usually 10-24 hours. Expiration time is specified in the expries_in field returned with the token. A new token has to be requested after that time to keep using the APIs.
Note: Generating excessive access tokens within the expiration time (i.e. requesting a new one for each request) may lead to termination of API access.

Available resources:


Resource: POST

Service: Request an access token

This service allows you to retrieve a short term access token that can be used to authorize Autopay API requests.

Endpoint:

POST https://api-auth.autopay.io/oauth/token

Request parameters:

  • The request body must be in JSON format and HTTP headers must include Content-Type: application/json.
Parameter Type Mandatory
client_id string yes
client_secret string yes
audience string yes (must always be "https://api.autopay.io")
grant_type string yes (must always be "client_credentials")

Example request:

{
  "client_id":"kWmliLIrb79QfsF9r3vJE4xrKMcdcrrA",
  "client_secret":"7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg",
  "audience":"https://api.autopay.io",
  "grant_type":"client_credentials"
}

Success response:

HTTP Code: 200 OK

Parameter Type Description
access_token string Access token
scope string Autopay APIs accessible with this token
expires_in integer Time until expiration in seconds (86400 seconds = 24 hours)
token_type string Type of the access token (Bearer)

Example success response:

{
  "access_token":"exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQ",
  "scope":"customer_club",
  "expires_in":86400,
  "token_type":"Bearer"
}

Error messages

Parameter Type
error string
error_description string

Example error response

Error response in case of invalid values in the client_id or client_secret fields:

HTTP Code: 401 Unauthorized

{
  "error":"access_denied",
  "error_description": "Unauthorized"
}