To access our API, your application must authenticate. We use the OAuth2 client credentials flow.

Don’t have API credentials?

If you don’t have a client_id and client_secret yet, you’ll need them to proceed. Please book a meeting to get set up.

Steps

1

Obtain an access token

First, your application needs to request an access token. This token identifies and authorizes your application.

POST /oauth2/token

Content-Type
string
required

Must be application/x-www-form-urlencoded for this endpoint.

Request parameters:

grant_type
string
required

Must be client_credentials.

client_id
string
required

Your unique client ID.

client_secret
string
required

Your client secret.

curl --request POST \
  --url 'https://api.paysway.io/oauth2/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET

Response fields:

access_token
string
required

The bearer token to use for authenticating API requests.

token_type
string
required

Always returns “Bearer” for this authentication flow.

expires_in
integer
required

Token lifetime in seconds (e.g., 3600 = 1 hour).

2

Use the token in API calls

Include the obtained access_token in the Authorization header of your API requests:

Authorization
string
required

Bearer token in the format: Bearer YOUR_ACCESS_TOKEN

curl --request POST \
  --url https://api.paysway.io/payments/validations \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN'

If the access token is missing, invalid, or expired, the API will return a 401 Unauthorized error. Your application should handle this by requesting a new token.

Request a new token before the current one expires to avoid service interruptions. Consider implementing automatic token refresh in your application.