Authentication

Obtain token

API credentials are sent to your e-mail after registration. You can regenerate them anytime in Control panel > API Access.

Request

POST [base]/token

Name Type Required Description

Name	Type	Required	Description
`login`	string	Yes	Your API key.
`password`	string	Yes	Your API secret.

login

string

Yes

Your API key.

password

string

Yes

Your API secret.

Request example

curl --request POST \
--url [base]/token/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
  "data": {
    "type": "auth-token",
    "attributes": {
      "login": "<Your API key>",
      "password": "<Your secret>"
    }
  }
}'

import requests

url = '[base]/token/'

headers = {
  'content-type': 'application/vnd.api+json',
}

data = {
  'data': {
    'type': 'auth-token',
    'attributes': {
      'login': '<Your API key>',
      'password': '<Your API secret>',
    }
  }
}

requests.post(url, headers=headers, json=data)

<?php

use GuzzleHttp\Client;
use GuzzleHttp\Exception\RequestException;

$client = new GuzzleHttp\Client();
try {
  $res = $client->post('[base]/token/', [
    'json' => [
      'data' => [
        'type' => 'auth-token',
        'attributes' => [
          'login' => '<Your API key>',
          'password' => '<Your API secret>',
        ],
      ],
    ],
    'headers' => [
      'Content-Type' => 'application/vnd.api+json',
    ],
  ]);
echo $res->getBody();
} catch (RequestException $e) {}

Response

Name Type Description

Name	Type	Description
`access`	string	Your access token. It has an expiry time of about a minute and after expiration should be refreshed.
`refresh`	string	The long-living token that is used for obtaining new access tokens (refer to ).
`access_expired_at`	string	The date and time of access token expiration.
`refresh_expired_at`	string	The date and time of refresh token expiration.
`is_2fa_confirmed`	boolean	If `true`, 2FA is enabled. 2FA is unavailable for API users.
`time`	string	The date and time of request receiving.
`sign`	string	The HMAC signature for a response payload authentication. To verify that the refresh token was sent by B2BINPAY, generate an HMAC signature using the `sha256` as algorithm: `sha256` hash of the concatenation of your login and password as a key, and the concatenation of `meta.time` and `refresh` fields as a message. Refer to below for a sign verification example.

access

string

Your access token. It has an expiry time of about a minute and after expiration should be refreshed.

refresh

string

The long-living token that is used for obtaining new access tokens (refer to ).

access_expired_at

string

The date and time of access token expiration.

refresh_expired_at

string

The date and time of refresh token expiration.

is_2fa_confirmed

boolean

If true, 2FA is enabled.

2FA is unavailable for API users.

time

string

The date and time of request receiving.

sign

string

The HMAC signature for a response payload authentication.

To verify that the refresh token was sent by B2BINPAY, generate an HMAC signature using the sha256 as algorithm: sha256 hash of the concatenation of your login and password as a key, and the concatenation of meta.time and refresh fields as a message.

Refer to below for a sign verification example.

Response example

{
  "data": {
    "type": "auth-token",
    "id": "0",
    "attributes": {
      "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
      "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
      "access_expired_at": "2020-12-29T05:42:11.925654Z",
      "refresh_expired_at": "2020-12-29T11:27:11.925654Z",
      "is_2fa_confirmed": false
    }
  },
  "meta": {
    "time": "2020-12-29T05:27:11.925654Z",
    "sign": "bcd6519ce27fed2ce9efe49cd09b387f050c0122c96..."
  }
}

Response codes

HTTP code Application code Description Suggested action

HTTP code	Application code	Description	Suggested action
`200`	—	OK	—
`400`	2006: No active account found with the given credentials	Incorrect credentials	Send correct credentials.
`429`	throttled: Request was throttled	Too many requests	Try again later.
`500`	—	Internal server error	Try again later.
`502`	—	Bad gateway	Try again later.
`503`	—	Service unavailable	Try again later.
`504`	—	Gateway timeout	Try again later.
`5xx`	—	Other server errors	Try again later.

200

—

400

2006: No active account found with the given credentials

Incorrect credentials

Send correct credentials.

429

throttled: Request was throttled

Too many requests

Try again later.

500

—

Internal server error

Try again later.

502

—

Bad gateway

Try again later.

503

—

Service unavailable

Try again later.

504

—

Gateway timeout

Try again later.

5xx

—

Other server errors

Try again later.

Refresh token

Once you receive a new key pair using your refresh token, the previous refresh token can no longer be used. A refresh token that is found to be invalid while not being expired must be rendered suspicious.

Request

POST [base]/token/refresh/

Name Type Required Description

Name	Type	Required	Description
`refresh`	string	Yes	Your refresh token from the response.

refresh

string

Yes

Your refresh token from the response.

Request example

curl --request POST \
--url [base]/token/refresh/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
  "data": {
    "type": "auth-token",
    "attributes": {
      "refresh": "<Your refresh token>"
    }
  }
}'

import requests

url = '[base]/token/refresh/'

headers = {
  'content-type': 'application/vnd.api+json',
}

data = {
  'data': {
    'type': 'auth-token',
    'attributes': {
      'refresh': '<Your refresh token>',
    },
  },
}

requests.post(url, headers=headers, json=data)

<?php

use GuzzleHttp\Client;
use GuzzleHttp\Exception\RequestException;

$client = new GuzzleHttp\Client();
try {
  $res = $client->post('[base]/token/refresh/', [
    'json' => [
      'data' => [
        'type' => 'auth-token',
        'attributes' => [
          'refresh' => 'Your refresh token',
        ],
      ],
    ],
    'headers' => [
      'Content-Type' => 'application/vnd.api+json',
    ],
  ]);
echo $res->getBody();
} catch (RequestException $e) {}

Response

The response body is the same as for Obtain token request, but without meta fields.

Response body example

{
  "type": "auth-token",
  "id": "0",
  "attributes": {
    "refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "access_expired_at": "2020-12-29T05:42:11.925654Z",
    "refresh_expired_at": "2020-12-29T11:27:11.925654Z",
    "is_2fa_confirmed": false
  }
}

Response codes

HTTP code Application code Description Suggested action

HTTP code	Application code	Description	Suggested action
`200`	—	OK	—
`401`	2007: No active account found with the given credentials	Incorrect credentials	Send correct credentials.
`500`	—	Internal server error	Try again later.
`502`	—	Bad gateway	Try again later.
`503`	—	Service unavailable	Try again later.
`504`	—	Gateway timeout	Try again later.
`5xx`	—	Other server errors	Try again later.

200

—

401

2007: No active account found with the given credentials

Incorrect credentials

Send correct credentials.

500

—

Internal server error

Try again later.

502

—

Bad gateway

Try again later.

503

—

Service unavailable

Try again later.

504

—

Gateway timeout

Try again later.

5xx

—

Other server errors

Try again later.

Auth verification

Refer to the example below for a sign verification instance.

Auth verification example

// "crypto-js": "4.0.0" is installed as a dependency
const SHA256 = require("crypto-js/sha256");
const hmacSHA256 = require('crypto-js/hmac-sha256');

// set API user login and password
const login = 'Your API key';
const password = 'Your API secret';

// parse /api/token/ response payload
const authResponse = JSON.parse("{\n" +
    "  \"data\": {\n" +
    "    \"type\": \"auth-token\",\n" +
    "    \"id\": \"0\",\n" +
    "    \"attributes\": {\n" +
    "      \"refresh\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUz\",\n" +
    "      \"access\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI\",\n" +
    "      \"access_expired_at\": \"2020-08-24T13:50:12.192479+03:00\",\n" +
    "      \"refresh_expired_at\": \"2020-08-24T19:33:33.192479+03:00\",\n" +
    "      \"is_2fa_confirmed\": false\n" +
    "    }\n" +
    "  },\n" +
    "  \"meta\": {\n" +
    "    \"time\": \"2020-08-24T10:33:33.192479Z\",\n" +
    "    \"sign\": \"e70adec551e26b560049e42aa0993ae42cac4e03fbbb300320d8be\"\n" +
    "  }\n" +
    "}");
    
// prepare data for hash check
const message = authResponse['meta']['time'] + authResponse['data']['attributes']['refresh'];
const responseSign = authResponse['meta']['sign'];
const secret = SHA256(login + password);
const calculatedSign = hmacSHA256(message, secret).toString();

// print result
if (responseSign === calculatedSign) {
  console.log('Verified');
} else {
  console.log('Invalid sign');
}

PreviousAPI overview NextWallet methods

Last updated 1 month ago