Authentication

All Checkout API endpoints described in this documentation require an Authorization header using the Bearer authentication scheme.

Partners obtain an access token by using the OAuth 2.0 client credentials flow, as defined in RFC 6749, section 4.4.

The token lifetime is returned as part of the token response.

URL path - /checkout/oauth2/token

Method - POST

Overview

Use this endpoint to obtain an access token before calling protected Checkout API endpoints.

Partner-specific credentials and scopes are provided during onboarding.

Request Headers

Header Name	Header Value
Content-Type	application/x-www-form-urlencoded
Authorization	Basic base64(Username:Password)

The username and password used for Basic authentication are partner-specific API credentials.

Form Parameters

Parameter Key	Parameter Data Type	Required	Notes
grant_type	string	Y	Parameter value must be set to `client_credentials`
scope	string	Y	The scope of the access request as described by the RFC

Partner-specific scopes are provided during onboarding.

Response

Status Code - 200 OK

Parameter Key	Parameter Data Type	Required	Notes
access_token	string	Y	Bearer token used to call protected APIs
token_type	string	Y	Authentication scheme. Expected value: `Bearer`
expires_in	integer	Y	Token lifetime in seconds
scope	string	Y	Granted scopes

Examples

Request

POST /checkout/oauth2/token HTTP/1.1
Host: sample.pyng.com.au
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=pyng_defined_scope

Response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "access_token": "access_token_example",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "pyng_granted_scope_1 pyng_granted_scope_2"
}

Error Response

HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=UTF-8

{
  "error": "invalid_client",
  "error_description": "Client authentication failed"
}