# Authentication {% hint style="danger" %} This API version is deprecated and will no longer be supported after December 1, 2025. Refer to [API v3](https://docs.b2binpay.com/api-guide/authentication) for updated descriptions. {% endhint %} ## Obtain token ### Request `POST` `[base]/token`
NameTypeRequiredDescription
loginstringYesYour API key.
passwordstringYesYour API secret.
#### Request example {% tabs %} {% tab title="cURL" %} ```sh curl --request POST \ --url [base]/token/ \ --header 'Content-Type: application/vnd.api+json' \ --data '{ "data": { "type": "auth-token", "attributes": { "login": "", "password": "" } } }' ``` {% endtab %} {% tab title="Python" %} ```python import requests url = '[base]/token/' headers = { 'content-type': 'application/vnd.api+json', } data = { 'data': { 'type': 'auth-token', 'attributes': { 'login': '', 'password': '', } } } requests.post(url, headers=headers, json=data) ``` {% endtab %} {% tab title="PHP" %} ```php post('[base]/token/', [ 'json' => [ 'data' => [ 'type' => 'auth-token', 'attributes' => [ 'login' => '', 'password' => '', ], ], ], 'headers' => [ 'Content-Type' => 'application/vnd.api+json', ], ]); echo $res->getBody(); } catch (RequestException $e) {} ``` {% endtab %} {% endtabs %} ### Response
NameTypeDescription
accessstringYour access token. It has an expiry time of about a minute and after expiration should be refreshed.
refreshstringThe long-living token that is used for obtaining new access tokens (refer to Refresh token).
access_expired_atstringThe date and time of access token expiration.
refresh_expired_atstringThe date and time of refresh token expiration.
is_2fa_confirmedboolean

If true, 2FA is enabled.

2FA is unavailable for API users.

timestringThe date and time of request receiving.
signstring

The HMAC signature for a response payload authentication.

To verify that the refresh token was sent by B2BINPAY, generate an HMAC signature using the sha256 as algorithm: sha256 hash of the concatenation of your login and password as a key, and the concatenation of meta.time and refresh fields as a message.

Refer to Auth verification below for a sign verification example.

#### Response example {% code overflow="wrap" %} ```json { "data": { "type": "auth-token", "id": "0", "attributes": { "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...", "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...", "access_expired_at": "2020-12-29T05:42:11.925654Z", "refresh_expired_at": "2020-12-29T11:27:11.925654Z", "is_2fa_confirmed": false } }, "meta": { "time": "2020-12-29T05:27:11.925654Z", "sign": "bcd6519ce27fed2ce9efe49cd09b387f050c0122c96..." } } ``` {% endcode %} #### Response codes
HTTP codeApplication codeDescriptionSuggested action
200OK
4002006: No active account found with the given credentialsIncorrect credentialsSend correct credentials.
429throttled: Request was throttledToo many requestsTry again later.
500Internal server errorTry again later.
502Bad gatewayTry again later.
503Service unavailableTry again later.
504Gateway timeoutTry again later.
5xxOther server errorsTry again later.
*** ## Refresh token {% hint style="danger" %} Once you receive a new key pair using your refresh token, the previous refresh token can no longer be used. A refresh token that is found to be invalid while not being expired must be rendered suspicious. {% endhint %} ### Request `POST` `[base]/token/refresh/`
NameTypeRequiredDescription
refreshstringYesYour refresh token from the Obtain token response.
#### Request example {% tabs %} {% tab title="cURL" %} ```bash curl --request POST \ --url [base]/token/refresh/ \ --header 'Content-Type: application/vnd.api+json' \ --data '{ "data": { "type": "auth-token", "attributes": { "refresh": "" } } }' ``` {% endtab %} {% tab title="Python" %} ```python import requests url = '[base]/token/refresh/' headers = { 'content-type': 'application/vnd.api+json', } data = { 'data': { 'type': 'auth-token', 'attributes': { 'refresh': '', }, }, } requests.post(url, headers=headers, json=data) ``` {% endtab %} {% tab title="PHP" %} {% code overflow="wrap" %} ```php post('[base]/token/refresh/', [ 'json' => [ 'data' => [ 'type' => 'auth-token', 'attributes' => [ 'refresh' => 'Your refresh token', ], ], ], 'headers' => [ 'Content-Type' => 'application/vnd.api+json', ], ]); echo $res->getBody(); } catch (RequestException $e) {} ``` {% endcode %} {% endtab %} {% endtabs %} ### Response The response body is the same as for [Obtain token](#obtain-token) request, but without `meta` fields. #### Response body example ```json { "type": "auth-token", "id": "0", "attributes": { "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...", "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...", "access_expired_at": "2020-12-29T05:42:11.925654Z", "refresh_expired_at": "2020-12-29T11:27:11.925654Z", "is_2fa_confirmed": false } } ``` #### Response codes
HTTP codeApplication codeDescriptionSuggested action
200OK
4012007: No active account found with the given credentialsIncorrect credentialsSend correct credentials.
500Internal server errorTry again later.
502Bad gatewayTry again later.
503Service unavailableTry again later.
504Gateway timeoutTry again later.
5xxOther server errorsTry again later.
*** ## Auth verification Refer to the example below for a sign verification instance.
Auth verification example {% code overflow="wrap" %} ```javascript // "crypto-js": "4.0.0" is installed as a dependency const SHA256 = require("crypto-js/sha256"); const hmacSHA256 = require('crypto-js/hmac-sha256'); // set API user login and password const login = 'Your API key'; const password = 'Your API secret'; // parse /api/token/ response payload const authResponse = JSON.parse("{\n" + " \"data\": {\n" + " \"type\": \"auth-token\",\n" + " \"id\": \"0\",\n" + " \"attributes\": {\n" + " \"refresh\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUz\",\n" + " \"access\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI\",\n" + " \"access_expired_at\": \"2020-08-24T13:50:12.192479+03:00\",\n" + " \"refresh_expired_at\": \"2020-08-24T19:33:33.192479+03:00\",\n" + " \"is_2fa_confirmed\": false\n" + " }\n" + " },\n" + " \"meta\": {\n" + " \"time\": \"2020-08-24T10:33:33.192479Z\",\n" + " \"sign\": \"e70adec551e26b560049e42aa0993ae42cac4e03fbbb300320d8be\"\n" + " }\n" + "}"); // prepare data for hash check const message = authResponse['meta']['time'] + authResponse['data']['attributes']['refresh']; const responseSign = authResponse['meta']['sign']; const secret = SHA256(login + password); const calculatedSign = hmacSHA256(message, secret).toString(); // print result if (responseSign === calculatedSign) { console.log('Verified'); } else { console.log('Invalid sign'); } ``` {% endcode %}