Authenticating as User

Once you've signed up to use our Embedded Payments API you will be able to generate an Application Token with your email address and password to access the API.

This application token expires within 30 minutes of inactivity and should be used by individual users or web interfaces.

For Partner Organizations, you will use the below request to generate an initial user authentication. With that token, you can generate a Partner Application Token.

The example below shows an API user sending a POST call with their user's associated e-mail address, password, and application name.

curl --request POST \
     --url https://api.exactpaysandbox.com/token \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
{
     "email": "[email protected]",
     "password": "your_password",
}
import axios from 'axios'

const res = await axios.get('https://api.exactpaysandbox.com', {
  headers: { Authorization: '<YOUR_API_KEY>' }
})
uri = URI('https://api.exactpaysandbox.com')
req = Net::HTTP::Get.new(uri)

req['Authorization'] = '<YOUR_API_KEY>'

res = Net::HTTP.start(uri.hostname, uri.port) {|http|
  http.request(req)
}
req, err := http.NewRequest("GET", "https://api.exactpaysandbox.com", nil)
req.Header.Add("Authorization", `<YOUR_API_KEY>`)
resp, err := client.Do(req)

The example below is the provided response to the Create Token API. It is important to note that an application token will be associated with a user, which is associated with an Organization.

Please Note: The account string returned in this response will be used throughout the Embedded Payments API spec as your organizationId.

{
    "isAuthenticated": true,
    "mode": "test",
    "token": "string",
    "type": "user",
    "user": "string",
    "application": "string",
    "account": "string",
    "allowedPermissions": [
        "users.read",
        "users.update",
        "users.delete",
        "users.disable",
        "users.set-permissions",
        "users.proxy",
        "organization-invites.create",
        "organization-invites.read",
        "organization-invites.delete",
        "account-invites.create",
        "account-invites.read",
        "account-invites.delete",
        "organizations.create",
        "organizations.read",
        "organizations.update",
        "organizations.delete",
        "organizations.disable",
        "accounts.create",
        "accounts.read",
        "accounts.update",
        "accounts.delete",
        "accounts.disable",
        "applications.create",
        "applications.read",
        "applications.update",
        "applications.delete",
        "application-tokens.create",
        "application-tokens.read",
        "application-tokens.delete",
        "templates.set",
        "templates.unset",
        "roles.create",
        "roles.read",
        "roles.update",
        "roles.delete",
        "onboardings.read",
        "onboardings.update",
        "onboardings.delete",
        "onboarding-document-requests.create",
        "onboarding-document-requests.read",
        "onboarding-documents.create",
        "onboarding-documents.update",
        "onboarding-documents.read",
        "onboarding-documents.delete",
        "onboarding-notes.create",
        "onboarding-notes.read",
        "onboarding-workflows.create",
        "onboarding-workflows.read",
        "onboarding-workflows.update",
        "onboarding-workflows.delete",
        "charges.create",
        "charges.read",
        "plans.create",
        "plans.read",
        "plans.delete",
        "plans.update",
        "subscriptions.create",
        "subscriptions.read",
        "subscriptions.delete",
        "subscriptions.update",
        "customers.create",
        "customers.read",
        "customers.update",
        "customers.delete",
        "reports.create",
        "reports.read",
        "reports.update",
        "reports.delete",
        "events.read",
        "webhooks.create",
        "webhooks.read",
        "webhooks.update",
        "webhooks.delete"
    ],
    "allowedAccounts": [
        "string",
        "string",
        "string",
     "
    ],
    "enabledFeatures": [],
    "apiVersion": "1.0.0",
    "expiresAt": "2022-03-31T16:20:54.580Z"
}

Our Embedded Payments API has a sophisticated access control system. The token you will be granted initially has the permission to use any of the APIs. However, we recommend creating additional Application Tokens with purpose-specific permissions, as well as Users with specific roles.