Secure Payments API Authentication
General
This article covers using a POST request to authenticate using the Secure Payments (formerly PCI Wallet) API. You also have the following authentication options:
- Revoke an existing authentication
- Refresh an authentication token
Authentication
Secure Payments uses JSON Web Tokens for authentication. In our implementation two tokens are generated: secret
and token
. These two tokens represent your account, so keep them private.
All authenticated endpoints expect both the secret
and token
to be submitted as part of the request headers:
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'secret: your-secret' --header 'authorization: your-token' -d '{
"password": "Another-Good-Password-02"
}' 'https://pciwallet.simnang.com/api/users'
secret
is thesecret:
header.token
is theauthorization:
header.
Tokens are long lived (90 days) and may be revoked (see POST revoke).
Keep in mind that even if a set of tokens is valid, if the user password has expired then the request won’t be allowed but will fail with a different HTTP code:
401
for authentication failed (wrong secret/token)402
for session or password expired