Authentication

The Payroc API uses Bearer tokens to authenticate requests. To generate a Bearer token, include your API token in the 'x-api-key' parameter in the header of a request to the Payroc Identity Service.

API key best practices

  • Grant API keys with the least amount of privilege to carry out target tasks.
  • Do not share API keys.
  • Do not use API keys in publicly accessible areas, for example, client-side code.
Use HTTPS for all requests to the Payroc API. We reject all HTTP requests, and all requests that are not properly authenticated.

Request

Identity Service endpoint: https://identity.payroc.com/authorize
curl --location --request POST 'https://identity.payroc.com/authorize' --header 'x-api-key: <api key>'

Response

{
"access_token": "eyJhbGc....adQssw5c",
"expires_in": 3600,
"scope": "service_a service_b",
"token_type": "Bearer"
}
Include the access_token as a Bearer token in all future requests to the Payroc API, for example:

Request

curl
-H "Authorization: Bearer <access token>"