***

title: Authenticate your session
icon: shield-check
intro: Create a session token to authenticate your Hosted Fields session.
published: true
---------------------

For clean Markdown of any page, append .md to the page URL. For a complete documentation index, see https://docs.payroc.com/full-stack-guides/take-payments/hosted-fields/llms.txt. For full documentation content, see https://docs.payroc.com/full-stack-guides/take-payments/hosted-fields/llms-full.txt.

To authenticate your access to the Payroc gateway, include a session token every time you run the Hosted Fields script on a webpage.

## Before you begin

* Make sure you have your API key for both the test environment and the production environment.
* Make sure that your integration can handle errors. If a request is unsuccessful, we return an error that follows the [RFC 7807 format](https://datatracker.ietf.org/doc/html/rfc7807). For more information about errors, go to [Errors](/api/errors).

## Integration steps

**Step 1.**	Generate a Bearer token.\
**Step 2.**	Generate a session token from the Bearer token.

## Step 1. Generate a Bearer token

To authenticate your integration, you need to use a Bearer token. To generate a Bearer token, send your API key in a request to our Identity Service.

<Note>
  **Note:** You need to generate a new Bearer token before the previous Bearer token expires.
</Note>

### Request

To generate a Bearer token, Include your API key in a x-api-key header in a POST request to our Identity endpoint.

| Endpoint   | Prefix          | URL                                                                                    |
| :--------- | :-------------- | :------------------------------------------------------------------------------------- |
| Test       | `identity.uat.` | [https://identity.uat.payroc.com/authorize](https://identity.uat.payroc.com/authorize) |
| Production | `identity.`     | [https://identity.payroc.com/authorize](https://identity.payroc.com/authorize)         |

### Example request

```bash
curl --location --request POST  'https://identity.payroc.com/authorize' --header 'x-api-key: <api key>'
```

### Response

If your request is successful, we return a response that contains your Bearer token, information about its scope, and when it expires.

| Field         | Description                                                                              |
| :------------ | :--------------------------------------------------------------------------------------- |
| access\_token | Value for the Bearer token. Use this value in the Authorization header of your requests. |
| expires\_in   | Number of seconds that the token expires in.                                             |
| scope         | Indicates which services that the token covers.                                          |
| token\_type   | Type of access token.                                                                    |

### Example response

If your request is successful, we return a response that contains your Bearer token, information about its scope, and when it expires.

```json
{
  "access_token": "eyJhbGc....adQssw5c",
  "expires_in": 3600,
  "scope": "service_a service_b",
  "token_type": "Bearer"
}
```

## Step 2. Generate a session token from the Bearer token

You must generate a new session token each time you initialize Hosted Fields. A session token expires after 10 minutes.

When you generate a session token, you need to specify the version of the Hosted Fields JavaScript library that you are using. Include the version number in the libVersion parameter in the body of your request.

| Environment | Version      |
| ----------- | ------------ |
| Test        | 1.7.0.261457 |
| Production  | 1.7.0.261471 |

### Request

To generate a session token, send a POST request to our Processing Terminals endpoint.

| Endpoint   | Prefix     | URL                                                                                                                                                                                                    |
| :--------- | :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Test       | `api.uat.` | [https://api.uat.payroc.com/v1/processing-terminals/\{processingTerminalId}/hosted-fields-sessions](https://api.uat.payroc.com/v1/processing-terminals/\{processingTerminalId}/hosted-fields-sessions) |
| Production | `api.`     | [https://api.payroc.com/v1/processing-terminals/\{processingTerminalId}/hosted-fields-sessions](https://api.payroc.com/v1/processing-terminals/\{processingTerminalId}/hosted-fields-sessions)         |

Include the following headers in your request:

* **Content-Type:** Include application/json as the value for this parameter.
* **Authorization:** Include your Bearer token in this parameter.
* **Idempotency-Key:** Include a UUID v4 to make the request idempotent.

To create the body of your request, use the following parameters:

<EndpointSchemaSnippet endpoint="POST /processing-terminals/{processingTerminalId}/hosted-fields-sessions" selector="request.body" />

### Example request

<EndpointRequestSnippet endpoint="POST /processing-terminals/{processingTerminalId}/hosted-fields-sessions" />

### Response fields

If your request is successful, our gateway generates a session token. The response contains the following fields:

<EndpointSchemaSnippet endpoint="POST /processing-terminals/{processingTerminalId}/hosted-fields-sessions" selector="response.body" />

### Example response

<EndpointResponseSnippet endpoint="POST /processing-terminals/{processingTerminalId}/hosted-fields-sessions" example="createSessionResponse" />