Secure Payments API – Authentication Overview


This article covers using a POST request to authenticate using the Secure Payments (formerly PCI Wallet) API. You also have the following authentication options:


Secure Payments uses JSON Web Tokens for authentication. In our implementation, two tokens are generated: secret and  token. These two tokens represent your account, so keep them private.

All authenticated endpoints expect both the secret and  token to be submitted as part of the request headers. Here's a cURL request showing the headers, endpoint, and payload body:

curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'secret: your-secret' --header 'authorization: your-token' -d '{
"password": "Another-Good-Password-02"
}' ''

  • secret is the  secret: header.
  • token is the  authorization: header.

Here's just the payload body from that request:

"password": "Another-Good-Password-02"

Tokens are long-lived (90 days) and may be revoked (see Revoke Tokens).

Keep in mind that even if a set of tokens is valid, if the user password has expired then the request won’t be allowed but will fail with a different HTTP code:

  • 401 for authentication failed (wrong secret/token)
  • 402 for session or password expired

How did we do?

Powered by HelpDocs (opens in a new tab)