The IVR API uses Basic HTTP Authentication, a simple authentication scheme built into the HTTP protocol, as specified by RFC 7617.

All IVR API endpoints require this form of authentication. Failure to correctly authenticate an API request will result in a "401 Unauthorized" response.

Following OAuth 2.0 industry standards, Afterpay provides the merchant a Client ID that uniquely identifies the merchant as the entity initiating a transaction. Afterpay also provides a private Client Secret, a character string known only to the Afterpay and the respective merchant. There will be separate credentials to identify the request from the client app, web and backend.

These credentials will be different for each merchant.

Submit client credentials and receive temporary access-oauth-token details.

The access token generated will be valid until it is expired.

As is standard with OAuth 2.0 the HTTP header for this request defines Content-Type as application/x-www-form-urlencoded.

Request an OAuth2 token

HTTP Request

POST https://<auth-env>/oauth2/token

Request body

Name	Type	Mandatory	Description	Comment
grant_type	string	yes	scope of access	must be client_credentials

Request headers

Parameter	Description
Content-Type	application/x-www-form-urlencoded
Accept	application/json
Authorization	Basic Base64(clientId:clientSecret) ; clientId:clientSecret has to be encoded using Base64

Consider the following example

clientId	clientSecret
afterpay	merchantABC

📘
In conventional HTTP terms, "clientId" is the username and clientSecret" is the password. Each merchant account has unique API credentials.

The credentials are joined by a colon character (without any spaces), then base64-encoded.

PLAIN TEXT	BASE64 ENCODED
afterpay:merchantABC	YWZ0ZXJwYXk6bWVyY2hhbnRBQkM=

The Authorization header can then be formed by including the word Basic, followed by a single space character, followed by the base64-encoded credential pair.

Final Header Authorization: Basic YWZ0ZXJwYXk6bWVyY2hhbnRBQkM=

📘
Security Notice Please note that the base64-encoding of the Authorization header is unrelated to security. All HTTP headers and bodies (for both requests and responses) between the Merchant and Afterpay are encrypted with TLS. The reason for base64-encoding is solely to comply with the RFC 7617 standard, which allows non-HTTP characters and multibyte strings to be used for Basic HTTP Authentication.

Sample Example

curl -v -X POST https://<env>/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded"\
-H "Accept: application/json"\
-H "Authorization: Basic Z29tbzpwYXNzd29yZDEyMw=="\
-d "grant_type=client_credentials"

Response body

Name	Type	Mandatory	Description	Comment
access_token	string	yes	The token authorising access to secure API endpoints	For example, include in the header Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2 MjM5MDIyfQ.SflKxwRJSMeKKF2QT4f wpMeJf36POk6yJV_adQssw5c
expires_in	number	yes	The amount of time in seconds for which the token is valid	In the example 3600 seconds is 1 hour
token_type	string	yes	The type of access token In this case	The type of access token In this case "Bearer"

Sample Example

Status: 200 OK

{
    "access_token": "eyJraWQiOiJSWTJ5VFwvRkVtNhjkFhXM21RcElZWnZ0VWVWaFl4XC8rYytCWG5aRTMrMG5aa2M9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI2bDE1cjEyY3F1dnUxa25yam85cW1kZmtiaCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXBpLXFhLml2ci5wYXlub3cuYWZ0ZXJwYXl0b3VjaC5kZXZcL2l2clwvdjFcL2FjdGlvbkNvbmZpcm0gYXBpLXFhLml2ci5wYXlub3cuYWZ0ZXJwYXl0b3VjaC5kZXZcL2l2clwvdjFcL2FjdGlvblN0YXJ0IiwiYXV0aF90aW1lIjoxNjg4Nzc4MjMwLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuYXAtc291dGhlYXN0LTIuYW1hem9uYXdzLmNvbVwvYXAtc291dGhlYXN0LTJfb2F6VDN3MHNFIiwiZXhwIjoxNjg4NzgxODMwLCJpYXQiOjE2ODg3NzgyMzAsInZlcnNpb24iOjIsImp0aSI6IjQ2YTNkM2EzLTk5NTAtNDQzNy05YjI1LTRlM2UxMjhiODI1ZSIsImNsaWVudF9pZCI6IjZsMTVyMTJjcXV2dTFrbnJqbzlxbWRma2JoIn0.LOGNH-uBFIvLMaIzCBFfkJqNyrQmpvOAy0pVYrQx1mMDUbSwYDPm85LUwLjq1Ru2LNd3xZSCh1aNOfvg2mtNws2dMmv24WixqG-tsX4wqHUqZxVt4gsCZ07vdNnTwX2A8od0hsa_dfz6W7_2sJwWRug7CuGtPnL_tNDu_Z6RRVu93l7tFgsReelKGeHtBdcyHABF8utlXLMkxX54X2gpiOkfVyStHxozcCXk3hMFZ4pNt-n0wb3fu0k8PN9ro_boLsNV0tLRf92JGWSMOERWbDGGL74J7GNrEy4O9DAEmxvosiyOPTYh-juc5feZduMRyU7IoB5im2WVLKdUgSLx7g",
    "expires_in": 3600,
    "token_type": "Bearer"
}