API token authentication
Payabli API tokens are long-lived tokens you send in the requestToken header. Payabli also supports OAuth2 Bearer tokens, which are recommended for new integrations. See OAuth authentication.
Note that API tokens are different than payment method tokens. API tokens are used for authentication, while payment method tokenization exchanges sensitive payment method information for secure tokens.
When you authenticate to the API, send the API token in the request header with the key requestToken.
You must make all API requests over HTTPS. API requests without authentication will fail.
Create and manage API tokens
You can create and manage your own API tokens in the Payabli Portal.
- Navigate to Developers > API Tokens, then click Create API Token.
- In the modal, configure your API token. See the configuration options table below.
- When finished, save your work.
To view or delete API tokens, navigate to Developers > API Tokens, then click the Action column of a token you want to manage.
API token types
To enhance security, Payabli has several different types of API token, each with different scopes and lifetime.
Organization API token (most common)
The organization token is the most basic and most commonly used API token used in the platform. Any organization or paypoint with an organization token has access to most API functions and endpoints. You can view and manage these API tokens in the Payabli Portal.
Payabli has two kinds of organization API tokens:
- Private Token: Private tokens are for making API calls and have the highest level of security.
- Public Token: Public tokens are for adding Payabli’s embeddable components in your user interface. These tokens are publicly readable.
You can’t access API endpoints related to management and authentication services for users with an organization token. To access those services, you need an application token.
Application API token
The Payabli team generates application API tokens for partners that are using API endpoints for authentication and managing entities. For example, you need this kind of token if you are building your own portals for paypoints, or any solution that involves users authenticating to Payabli outside of the Payabli Portal or a PayHub.
User API token
If you are working outside of a PayHub or the Payabli Portal, the Payabli API requires you to retrieve a user API token before performing certain actions. These tokens add an extra layer of security for managing paypoints, managing users stored in Payabli, getting access to merchant documents, and using authentication services. If you are performing these activities within the Payabli Portal or a PayHub, you don’t need to generate this token.
You need an application API token to generate a user API token.
To generate a user API token you need:
- Application API token (provided by the Payabli team to the Partner or Merchant).
- User email and user password (the user’s Payabli login credentials).
Temporary API token
Temporary API tokens are generated by services or endpoints related mainly to resetting passwords, multi-factor authentication (MFA), and activities without authentication that require approved security levels, like payment pages. Temporary tokens can be used for only one request in specific endpoints.