Skip to main content

Retrieving and Using a JWT Token

To make authorized requests to the Payment Gateway API, a valid JSON Web Token (JWT) is required. This token must be included in the Authorization header of each request, using the Bearer prefix.

You can obtain a JWT by sending a POST request to the /auth/token endpoint. The response will contain the token in the access_token field of the response body:

{
"access_token": "your_generated_jwt_token"
}
note

Check the API specification for that here:

How to

InformationDescriptionData
HostProvided by boltPay
MethodPOST
Endpoint/auth/token
Bodyx-www-form-urlencoded
  • client_id: Provided by boltPay
  • client_secret: Provided by boltPay
  • grant_type: client_credentials
  • scope: openid accountId username roles permissions status entityUser

Request example using curl:

curl --location --request POST '{pgw-url}/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencoded 'client_id=client3x3mPl3' \
--data-urlencoded 'client_secret=s3cr3Tp%40ass' \
--data-urlencoded 'grant_type=client_credentials' \
--data-urlencoded 'scope=openid accountId username roles permissions status entityUser'

Response example:

{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InIxTGtiQm8zOTI1UmIyWkZGckt5VTNNVmV4OVQyODE3S3gwdmJpNmlfS2MifQ.EVURSJdLCJzdGF0dXMiOiJhY3RpdmUiLCJqdGkiOiJXS21MX3N1bjFqakx5cVc2X2RaUV8iLCJpYXQiOjE2OTQ1MTE2NzYsImV4cCI6MTY5NDUxMjI3Niwic2NvcGUiOiJvcGVuaWQgYWNjb3VudElkIHVzZXJuYW1lIHJvbGVzIHBlcm1pc3Npb25zIHN0YXR1cyBlbnRpdHlVc2VyIiwiaXNzIjoiaHR0cDovLzAuMC4wLjA6OTA5MCIsImF1ZCI6IjVjN2ZiZDYyZjg5MDVhMDAxODk3OTk4ZCJ9.VucwAUv8gruDVfP4DGtbcySU4y8CZ31THv9mFZXDcPc09ct8Aq3qSCiyoCoGNSHeYH27LAnxTzvs38G6RMY4jkO32EjMRYcALlcbX9lAJ89KcFplNj6Q0f-6Xo-rfS6uvVHawyKOCypc1EErWQd9cKqiL35sV-VoCkh0KQgKX9hVlIKh2DpHFivKp4nw7vRZiCsMy1fmmtQTPvXg104SBv7BiU4HAhDkVUgfuyPFBgqvkFbfutz_iqmrWBfhR0PZZVuC-1g",
"expires_in": 600,
"token_type": "Bearer",
"scope": "openid accountId username roles permissions status entityUser"
}

Each token has an expiration time of 10 minutes, and they are irrecuperable, which means that by the end of this period you’ll need to reaccess the POST - /auth/token endpoint to retrieve a new token.