Use this API to get the oauth token to submit IVR ActionStart and IVR ActionConfirm request
The IVR API uses Basic HTTP Authentication, a simple authentication scheme built into the HTTP protocol, as specified by RFC 7617.
All IVR API endpoints require this form of authentication. Failure to correctly authenticate an API request will result in a "401 Unauthorized" response.
Following OAuth 2.0 industry standards, Afterpay provides the merchant a Client ID that uniquely identifies the merchant as the entity initiating a transaction. Afterpay also provides a private Client Secret, a character string known only to the Afterpay and the respective merchant. There will be separate credentials to identify the request from the client app, web and backend.
These credentials will be different for each merchant.
Submit client credentials and receive temporary access-oauth-token details.
The access token generated will be valid until it is expired.
As is standard with OAuth 2.0 the HTTP header for this request defines Content-Type as application/x-www-form-urlencoded.
Request an OAuth2 token
HTTP Request
POST https:///oauth2/token
Request body
| Name | Type | Mandatory | Description | Comment |
|---|---|---|---|---|
| grant_type | string | yes | scope of access | must be client_credentials |
Request headers
| Parameter | Description | |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | |
| Accept | application/json | |
| Authorization | Basic Base64(clientId:clientSecret) ; clientId:clientSecret has to be encoded using Base64 |
Consider the following example
| clientId | clientSecret |
|---|---|
| afterpay | merchantABC |
In conventional HTTP terms, "clientId" is the username and clientSecret" is the password. Each merchant account has unique API credentials.`
The credentials are joined by a colon character (without any spaces), then base64-encoded.
| PLAIN TEXT | BASE64 ENCODED |
|---|---|
| afterpay:merchantABC | YWZ0ZXJwYXk6bWVyY2hhbnRBQkM= |
The Authorization header can then be formed by including the word Basic, followed by a single space character, followed by the base64-encoded credential pair.
Final Header Authorization: Basic YWZ0ZXJwYXk6bWVyY2hhbnRBQkM=
Security Notice Please note that the base64-encoding of the Authorization header is unrelated to security. All HTTP headers and bodies (for both requests and responses) between the Merchant and Afterpay are encrypted with TLS. The reason for base64-encoding is solely to comply with the RFC 7617 standard, which allows non-HTTP characters and multibyte strings to be used for Basic HTTP Authentication.
Sample Example
curl -v -X POST https://<env>/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded"\
-H "Accept: application/json"\
-H "Authorization: Basic Z29tbzpwYXNzd29yZDEyMw=="\
-d "grant_type=client_credentials"
Response body
| Name | Type | Mandatory | Description | Comment |
|---|---|---|---|---|
| access_token | string | yes | The token authorising access to secure API endpoints | For example, include in the header Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ 9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibm FtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2 MjM5MDIyfQ.SflKxwRJSMeKKF2QT4f wpMeJf36POk6yJV_adQssw5c |
| expires_in | number | yes | The amount of time in seconds for which the token is valid | In the example 3600 seconds is 1 hour |
| token_type | string | yes | The type of access token In this case | The type of access token In this case "Bearer" |
Sample Example
Status: 200 OK
{
"access_token": "eyJraWQiOiJSWTJ5VFwvRkVtNhjkFhXM21RcElZWnZ0VWVWaFl4XC8rYytCWG5aRTMrMG5aa2M9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI2bDE1cjEyY3F1dnUxa25yam85cW1kZmtiaCIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXBpLXFhLml2ci5wYXlub3cuYWZ0ZXJwYXl0b3VjaC5kZXZcL2l2clwvdjFcL2FjdGlvbkNvbmZpcm0gYXBpLXFhLml2ci5wYXlub3cuYWZ0ZXJwYXl0b3VjaC5kZXZcL2l2clwvdjFcL2FjdGlvblN0YXJ0IiwiYXV0aF90aW1lIjoxNjg4Nzc4MjMwLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuYXAtc291dGhlYXN0LTIuYW1hem9uYXdzLmNvbVwvYXAtc291dGhlYXN0LTJfb2F6VDN3MHNFIiwiZXhwIjoxNjg4NzgxODMwLCJpYXQiOjE2ODg3NzgyMzAsInZlcnNpb24iOjIsImp0aSI6IjQ2YTNkM2EzLTk5NTAtNDQzNy05YjI1LTRlM2UxMjhiODI1ZSIsImNsaWVudF9pZCI6IjZsMTVyMTJjcXV2dTFrbnJqbzlxbWRma2JoIn0.LOGNH-uBFIvLMaIzCBFfkJqNyrQmpvOAy0pVYrQx1mMDUbSwYDPm85LUwLjq1Ru2LNd3xZSCh1aNOfvg2mtNws2dMmv24WixqG-tsX4wqHUqZxVt4gsCZ07vdNnTwX2A8od0hsa_dfz6W7_2sJwWRug7CuGtPnL_tNDu_Z6RRVu93l7tFgsReelKGeHtBdcyHABF8utlXLMkxX54X2gpiOkfVyStHxozcCXk3hMFZ4pNt-n0wb3fu0k8PN9ro_boLsNV0tLRf92JGWSMOERWbDGGL74J7GNrEy4O9DAEmxvosiyOPTYh-juc5feZduMRyU7IoB5im2WVLKdUgSLx7g",
"expires_in": 3600,
"token_type": "Bearer"
}