Authenticating as Partner

For partners that have already generated a user authentication token, they are now able to create an Application Token that authenticates at the partner organization level. This token does not expire.

A partner organization can create multiple application tokens, allowing them to assign the token to a specific function i.e., onboarding, payments, or document management. Another reason a partner may want to create multiple tokens is that each token can be assigned a specific set of permissions, allowing the partner to limit access for certain tokens.

When generating a token, you must provide a label in the request body. We recommend making the label name relatable to the function of the token for easy tracking purposes.

The example below shows an API user sending a POST call to create a partner application token, that is used for onboarding, and has onboarding permissions.

curl --request POST \
     --url https://api.exactpaysandbox.com/application/admin-pwa/token
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
{
    "label": "exact-onboarding-token",
    "permissions": [
        "onboardings.read",
        "onboardings.update",
        "onboardings.delete",
        "onboarding-document-requests.create",
        "onboarding-document-requests.read",
        "onboarding-documents.create",
        "onboarding-documents.update",
        "onboarding-documents.read",
        "onboarding-documents.delete",
        "onboarding-notes.create",
        "onboarding-notes.read",
        "onboarding-workflows.create",
        "onboarding-workflows.read",
        "onboarding-workflows.update",
        "onboarding-workflows.delete",]
}
import axios from 'axios'

const res = await axios.get('https://api.exactpaysandbox.com', {
  headers: { Authorization: '<YOUR_API_KEY>' }
})
uri = URI('https://api.exactpaysandbox.com')
req = Net::HTTP::Get.new(uri)

req['Authorization'] = '<YOUR_API_KEY>'

res = Net::HTTP.start(uri.hostname, uri.port) {|http|
  http.request(req)
}
req, err := http.NewRequest("GET", "https://api.exactpaysandbox.com", nil)
req.Header.Add("Authorization", `<YOUR_API_KEY>`)
resp, err := client.Do(req)

The example below is the provided response to the Create Application Token API.

Please Note: The account string returned in this response will be used throughout the Embedded Payments API spec as your organizationId.

{
    "label": "exact-onboarding-token",
    "type": "application",
    "token": "string",
    "allowedPermissions": [
        "onboardings.read",
        "onboardings.update",
        "onboardings.delete",
        "onboarding-document-requests.create",
        "onboarding-document-requests.read",
        "onboarding-documents.create",
        "onboarding-documents.update",
        "onboarding-documents.read",
        "onboarding-documents.delete",
        "onboarding-notes.create",
        "onboarding-notes.read",
        "onboarding-workflows.create",
        "onboarding-workflows.read",
        "onboarding-workflows.update",
        "onboarding-workflows.delete",
        ],
    "allowedAccounts": [
        "string",
        "string",
        "string",
      ]
}

Our Embedded Payments API has a sophisticated access control system. The token you will be granted initially has the permission to use any of the APIs. However, we recommend creating additional Application Tokens with purpose-specific permissions, as well as Users with specific roles.


What’s Next