Important announcement: API v3 launch! Review the changes and update your integrations by Dec 1, 2025 before old API shutdown
API guide v3
Release notesTry demo

Authentication

This API version is deprecated and will no longer be supported after December 1, 2025. Refer to API v3 for updated descriptions.

Obtain token

Request

POST [base]/token

Name
Type
Required
Description

login

string

Yes

Your API key.

password

string

Yes

Your API secret.

Request example

curl --request POST \
--url [base]/token/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
  "data": {
    "type": "auth-token",
    "attributes": {
      "login": "<Your API key>",
      "password": "<Your secret>"
    }
  }
}'

Response

Name
Type
Description

access

string

Your access token. It has an expiry time of about a minute and after expiration should be refreshed.

refresh

string

The long-living token that is used for obtaining new access tokens (refer to Refresh token).

access_expired_at

string

The date and time of access token expiration.

refresh_expired_at

string

The date and time of refresh token expiration.

is_2fa_confirmed

boolean

If true, 2FA is enabled.

2FA is unavailable for API users.

time

string

The date and time of request receiving.

sign

string

The HMAC signature for a response payload authentication.

To verify that the refresh token was sent by B2BINPAY, generate an HMAC signature using the sha256 as algorithm: sha256 hash of the concatenation of your login and password as a key, and the concatenation of meta.time and refresh fields as a message.

Refer to Auth verification below for a sign verification example.

Response example

{
  "data": {
    "type": "auth-token",
    "id": "0",
    "attributes": {
      "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
      "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
      "access_expired_at": "2020-12-29T05:42:11.925654Z",
      "refresh_expired_at": "2020-12-29T11:27:11.925654Z",
      "is_2fa_confirmed": false
    }
  },
  "meta": {
    "time": "2020-12-29T05:27:11.925654Z",
    "sign": "bcd6519ce27fed2ce9efe49cd09b387f050c0122c96..."
  }
}

Response codes

HTTP code
Application code
Description
Suggested action

200

OK

400

2006: No active account found with the given credentials

Incorrect credentials

Send correct credentials.

429

throttled: Request was throttled

Too many requests

Try again later.

500

Internal server error

Try again later.

502

Bad gateway

Try again later.

503

Service unavailable

Try again later.

504

Gateway timeout

Try again later.

5xx

Other server errors

Try again later.

Refresh token

Once you receive a new key pair using your refresh token, the previous refresh token can no longer be used. A refresh token that is found to be invalid while not being expired must be rendered suspicious.

Request

POST [base]/token/refresh/

Name
Type
Required
Description

refresh

string

Yes

Your refresh token from the Obtain token response.

Request example

curl --request POST \
--url [base]/token/refresh/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
  "data": {
    "type": "auth-token",
    "attributes": {
      "refresh": "<Your refresh token>"
    }
  }
}'

Response

The response body is the same as for Obtain token request, but without meta fields.

Response body example

{
  "type": "auth-token",
  "id": "0",
  "attributes": {
    "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "access_expired_at": "2020-12-29T05:42:11.925654Z",
    "refresh_expired_at": "2020-12-29T11:27:11.925654Z",
    "is_2fa_confirmed": false
  }
}

Response codes

HTTP code
Application code
Description
Suggested action

200

OK

401

2007: No active account found with the given credentials

Incorrect credentials

Send correct credentials.

500

Internal server error

Try again later.

502

Bad gateway

Try again later.

503

Service unavailable

Try again later.

504

Gateway timeout

Try again later.

5xx

Other server errors

Try again later.

Auth verification

Refer to the example below for a sign verification instance.

Auth verification example
// "crypto-js": "4.0.0" is installed as a dependency
const SHA256 = require("crypto-js/sha256");
const hmacSHA256 = require('crypto-js/hmac-sha256');

// set API user login and password
const login = 'Your API key';
const password = 'Your API secret';

// parse /api/token/ response payload
const authResponse = JSON.parse("{\n" +
    "  \"data\": {\n" +
    "    \"type\": \"auth-token\",\n" +
    "    \"id\": \"0\",\n" +
    "    \"attributes\": {\n" +
    "      \"refresh\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUz\",\n" +
    "      \"access\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI\",\n" +
    "      \"access_expired_at\": \"2020-08-24T13:50:12.192479+03:00\",\n" +
    "      \"refresh_expired_at\": \"2020-08-24T19:33:33.192479+03:00\",\n" +
    "      \"is_2fa_confirmed\": false\n" +
    "    }\n" +
    "  },\n" +
    "  \"meta\": {\n" +
    "    \"time\": \"2020-08-24T10:33:33.192479Z\",\n" +
    "    \"sign\": \"e70adec551e26b560049e42aa0993ae42cac4e03fbbb300320d8be\"\n" +
    "  }\n" +
    "}");
    
// prepare data for hash check
const message = authResponse['meta']['time'] + authResponse['data']['attributes']['refresh'];
const responseSign = authResponse['meta']['sign'];
const secret = SHA256(login + password);
const calculatedSign = hmacSHA256(message, secret).toString();

// print result
if (responseSign === calculatedSign) {
  console.log('Verified');
} else {
  console.log('Invalid sign');
}
PreviousAPI overviewNextWallet methods

Last updated

Was this helpful?