The Payroc API uses Bearer tokens to authenticate requests. To generate a Bearer token, include your API token in the 'x-api-key' parameter in the header of a request to the Payroc Identity Service.

API key best practices

Grant API keys with the least amount of privilege to carry out target tasks.
Do not share API keys.
Do not use API keys in publicly accessible areas, for example, client-side code.

Use HTTPS for all requests to the Payroc API. We reject all HTTP requests, and all requests that are not properly authenticated.

Request

Identity Service endpoint: https://identity.payroc.com/authorize

curl --location --request POST  'https://identity.payroc.com/authorize' --header 'x-api-key: <api key>'

Response

{
  "access_token": "eyJhbGc....adQssw5c",
  "expires_in": 3600,
  "scope": "service_a service_b",
  "token_type": "Bearer"
}

Include the access_token as a Bearer token in all future requests to the Payroc API, for example:

Request

curl
-H "Authorization: Bearer <access token>"

Authentication

API key best practices

Request

Response

Request