Authentication
This API version is deprecated and will no longer be supported after December 1, 2025. Refer to API v3 for updated descriptions.
Obtain token
Request
POST
[base]/token
login
string
Yes
Your API key.
password
string
Yes
Your API secret.
Request example
curl --request POST \
--url [base]/token/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
"data": {
"type": "auth-token",
"attributes": {
"login": "<Your API key>",
"password": "<Your secret>"
}
}
}'
Response
access
string
Your access token. It has an expiry time of about a minute and after expiration should be refreshed.
refresh
string
The long-living token that is used for obtaining new access tokens (refer to Refresh token).
access_expired_at
string
The date and time of access token expiration.
refresh_expired_at
string
The date and time of refresh token expiration.
is_2fa_confirmed
boolean
If true
, 2FA is enabled.
2FA is unavailable for API users.
time
string
The date and time of request receiving.
sign
string
The HMAC signature for a response payload authentication.
To verify that the refresh token was sent by B2BINPAY, generate an HMAC signature using the sha256
as algorithm: sha256
hash of the concatenation of your login and password as a key, and the concatenation of meta.time
and refresh
fields as a message.
Refer to Auth verification below for a sign verification example.
Response example
{
"data": {
"type": "auth-token",
"id": "0",
"attributes": {
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access_expired_at": "2020-12-29T05:42:11.925654Z",
"refresh_expired_at": "2020-12-29T11:27:11.925654Z",
"is_2fa_confirmed": false
}
},
"meta": {
"time": "2020-12-29T05:27:11.925654Z",
"sign": "bcd6519ce27fed2ce9efe49cd09b387f050c0122c96..."
}
}
Response codes
200
—
OK
—
400
2006: No active account found with the given credentials
Incorrect credentials
Send correct credentials.
429
throttled: Request was throttled
Too many requests
Try again later.
500
—
Internal server error
Try again later.
502
—
Bad gateway
Try again later.
503
—
Service unavailable
Try again later.
504
—
Gateway timeout
Try again later.
5xx
—
Other server errors
Try again later.
Refresh token
Once you receive a new key pair using your refresh token, the previous refresh token can no longer be used. A refresh token that is found to be invalid while not being expired must be rendered suspicious.
Request
POST
[base]/token/refresh/
Request example
curl --request POST \
--url [base]/token/refresh/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
"data": {
"type": "auth-token",
"attributes": {
"refresh": "<Your refresh token>"
}
}
}'
Response
The response body is the same as for Obtain token request, but without meta
fields.
Response body example
{
"type": "auth-token",
"id": "0",
"attributes": {
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access_expired_at": "2020-12-29T05:42:11.925654Z",
"refresh_expired_at": "2020-12-29T11:27:11.925654Z",
"is_2fa_confirmed": false
}
}
Response codes
200
—
OK
—
401
2007: No active account found with the given credentials
Incorrect credentials
Send correct credentials.
500
—
Internal server error
Try again later.
502
—
Bad gateway
Try again later.
503
—
Service unavailable
Try again later.
504
—
Gateway timeout
Try again later.
5xx
—
Other server errors
Try again later.
Auth verification
Refer to the example below for a sign verification instance.
Last updated
Was this helpful?