Authentication

The Payroc API uses Bearer tokens to authenticate requests. To generate a Bearer token, include your API token in the ‘x-api-key’ parameter in the header of a request to the Payroc Identity Service.

API key best practices

Grant API keys with the least amount of privilege to carry out target tasks.
Do not share API keys.
Do not use API keys in publicly accessible areas, for example, client-side code.

Important: Use HTTPS for all requests to the Payroc API. We reject all HTTP requests, and all requests that are not properly authenticated.

Request

Identity Service endpoints:

Endpoint	Prefix	URL
Test	`identity.uat.`	https://identity.uat.payroc.com/authorize
Production	`identity.`	https://identity.payroc.com/authorize

$ curl --location --request POST  'https://identity.payroc.com/authorize' --header 'x-api-key: <api key>'

Response

1 {
2   "access_token": "eyJhbGc....adQssw5c",
3   "expires_in": 3600,
4   "scope": "service_a service_b",
5   "token_type": "Bearer"
6 }

Include the access_token as a Bearer token in all future requests to the Payroc API, for example:

Request

$ curl
> -H "Authorization: Bearer <access token>"