Partner API Authentication

This document provides guidance on how to authenticate to our API using the OAuth 3.0 client_credentials grant type for server-to-server authentication.

Overview

  1. Receive API credentials: We will provide you with the API client ID and client secret.

  2. Request an access token: Send an HTTP POST request to our token endpoint to request an access token.

  3. Receive and use the access token: Use the access token to make authenticated API requests on behalf of your server.

Step-by-Step Guide

1. Receive API credentials

We will provide you with the following API credentials:

  • client_id: The unique identifier for your client (application) in our system.

  • client_secret: A secret key that should be kept confidential and used for authentication.

2. Request an access token

To authenticate using the client_credentials grant type, send an HTTP POST request to our token endpoint (Get Token) with the header Content-Type: application/x-www-form-urlencoded and the following parameters:

  • grant_type: Set the value to client_credentials.

  • client_id: The client ID you received from us.

  • client_secret: The client secret you received from us.

3. Receive and use the access token

If the request is successful, our authentication service will return a JSON object containing the access token, token type, and expiration time (in seconds).

To use the access token, include it in the "Authorization" header as a Bearer token when making API requests. For example:

Authorization: Bearer your_access_token

Replace your_access_token with the actual access token you received from the previous step.

Keep in mind that access tokens have a limited lifetime, and you will need to request a new one once the current token expires. To avoid unnecessary API calls, you can cache the access token and refresh it when it's close to expiring.

Note: The client_credentials grant type is designed for server-to-server authentication and should not be used to authenticate end-users. Keep your client_secret confidential and secure, as it's a critical part of the authentication process.

4. Requestor identification

All commands except the commands listed below must contain the header Requestor-ID to indicate the requestor of the command (natural person id). The logic with the validation of permissions to perform a specific command will be added in the future.

  • create natural person / natural persons wizards

  • create legal entity customer / prepare legal entity

Last updated