Authentication
Obtain token
Note
API credentials are sent to your e-mail after registration. You can regenerate them anytime in Control panel > API Access.
Request
- login
string
required Your API key.
- password
string
required Your API secret.
POST[base]/token/
curl --request POST \
--url [base]/token/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
"data": {
"type": "auth-token",
"attributes": {
"login": "<Your API key>",
"password": "<Your secret>"
}
}
}'
import requests
url = '[base]/token/'
headers = {
'content-type': 'application/vnd.api+json',
}
data = {
'data': {
'type': 'auth-token',
'attributes': {
'login': '<Your API key>',
'password': '<Your API secret>',
}
}
}
requests.post(url, headers=headers, json=data)
<?php
use GuzzleHttp\Client;
use GuzzleHttp\Exception\RequestException;
$client = new GuzzleHttp\Client();
try {
$res = $client->post('[base]/token/', [
'json' => [
'data' => [
'type' => 'auth-token',
'attributes' => [
'login' => '<Your API key>',
'password' => '<Your API secret>',
],
],
],
'headers' => [
'Content-Type' => 'application/vnd.api+json',
],
]);
echo $res->getBody();
} catch (RequestException $e) {}
Response
- access
string
Your access token. It has an expiry time of about a minute and after expiration should be refreshed.
- refresh
string
The long-living token that is used for obtaining new access tokens (refer to Refresh token).
- access_expired_at
string
The date and time of access token expiration.
- refresh_expired_at
string
The date and time of refresh token expiration.
- is_2fa_confirmed
boolean
If
true
, 2FA is enabled.2FA isn’t available for API users.
- time
string
The date and time of request receiving.
- sign
string
The HMAC signature for a response payload authentication.
To verify that the refresh token was sent by B2BinPay, generate an HMAC signature using the
sha256
as algorithm:sha256
hash of the concatenation of your login and password as a key, and the concatenation ofmeta.time
andrefresh
fields as a message.Refer to Auth verification below for a sign verification example.
{
"data": {
"type": "auth-token",
"id": "0",
"attributes": {
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access_expired_at": "2020-12-29T05:42:11.925654Z",
"refresh_expired_at": "2020-12-29T11:27:11.925654Z",
"is_2fa_confirmed": false
}
},
"meta": {
"time": "2020-12-29T05:27:11.925654Z",
"sign": "bcd6519ce27fed2ce9efe49cd09b387f050c0122c96..."
}
}
Response codes
HTTP code |
Application code |
Description |
Suggested action |
---|---|---|---|
200 |
— |
The request succeeded. |
— |
400 |
2006: No active account found with the given credentials. |
Incorrect credentials. |
Send correct credentials. |
429 |
throttled: Request was throttled. |
Too many requests. |
Try again later. |
500 |
— |
Internal server error. |
Try again later. |
502 |
— |
Bad gateway. |
Try again later. |
503 |
— |
Service unavailable. |
Try again later. |
504 |
— |
Gateway timeout. |
Try again later. |
5xx |
— |
Other server errors. |
Try again later. |
Refresh token
Important
Once you receive a new key pair using your refresh token, the previous refresh token can no longer be used. A refresh token that is found to be invalid while not being expired must be rendered suspicious.
Request
- refresh
string
required Your refresh token from the Obtain token response.
POST[base]/token/refresh/
curl --request POST \
--url [base]/token/refresh/ \
--header 'Content-Type: application/vnd.api+json' \
--data '{
"data": {
"type": "auth-token",
"attributes": {
"refresh": "<Your refresh token>"
}
}
}'
import requests
url = '[base]/token/refresh/'
headers = {
'content-type': 'application/vnd.api+json',
}
data = {
'data': {
'type': 'auth-token',
'attributes': {
'refresh': '<Your refresh token>',
},
},
}
requests.post(url, headers=headers, json=data)
<?php
use GuzzleHttp\Client;
use GuzzleHttp\Exception\RequestException;
$client = new GuzzleHttp\Client();
try {
$res = $client->post('[base]/token/refresh/', [
'json' => [
'data' => [
'type' => 'auth-token',
'attributes' => [
'refresh' => 'Your refresh token',
],
],
],
'headers' => [
'Content-Type' => 'application/vnd.api+json',
],
]);
echo $res->getBody();
} catch (RequestException $e) {}
Response
The response body is the same as for Obtain token request, but without meta
fields.
{
"type": "auth-token",
"id": "0",
"attributes": {
"refresh": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"access_expired_at": "2020-12-29T05:42:11.925654Z",
"refresh_expired_at": "2020-12-29T11:27:11.925654Z",
"is_2fa_confirmed": false
}
}
Response codes
HTTP code |
Application code |
Description |
Suggested action |
---|---|---|---|
200 |
— |
The request succeeded. |
— |
401 |
2007: No active account found with the given credentials. |
Incorrect credentials. |
Send correct credentials. |
500 |
— |
Internal server error. |
Try again later. |
502 |
— |
Bad gateway. |
Try again later. |
503 |
— |
Service unavailable. |
Try again later. |
504 |
— |
Gateway timeout. |
Try again later. |
5xx |
— |
Other server errors. |
Try again later. |
Auth verification
Refer to the example below for a sign verification instance.
// "crypto-js": "4.0.0" is installed as a dependency
const SHA256 = require("crypto-js/sha256");
const hmacSHA256 = require('crypto-js/hmac-sha256');
// set API user login and password
const login = 'Your API key';
const password = 'Your API secret';
// parse /api/token/ response payload
const authResponse = JSON.parse("{\n" +
" \"data\": {\n" +
" \"type\": \"auth-token\",\n" +
" \"id\": \"0\",\n" +
" \"attributes\": {\n" +
" \"refresh\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUz\",\n" +
" \"access\": \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI\",\n" +
" \"access_expired_at\": \"2020-08-24T13:50:12.192479+03:00\",\n" +
" \"refresh_expired_at\": \"2020-08-24T19:33:33.192479+03:00\",\n" +
" \"is_2fa_confirmed\": false\n" +
" }\n" +
" },\n" +
" \"meta\": {\n" +
" \"time\": \"2020-08-24T10:33:33.192479Z\",\n" +
" \"sign\": \"e70adec551e26b560049e42aa0993ae42cac4e03fbbb300320d8be\"\n" +
" }\n" +
"}");
// prepare data for hash check
const message = authResponse['meta']['time'] + authResponse['data']['attributes']['refresh'];
const responseSign = authResponse['meta']['sign'];
const secret = SHA256(login + password);
const calculatedSign = hmacSHA256(message, secret).toString();
// print result
if (responseSign === calculatedSign) {
console.log('Verified');
} else {
console.log('Invalid sign');
}