BearerAuth (JWT)
Authenticate using OAuth 2.0
Alternatively, OAuth 2.0 can be used together with the Client ID, Client Secret, and Scope. This information is provided during onboarding.
Using the provided credentials, you will be able to generate a JWT access token that needs to be used in all API calls.
Prerequisites for using APIs
To authenticate with the Verifone APIs, you must obtain an access token. This access token is attached to API requests and inspected for a valid signature and expiration time when performing API calls.
How to obtain the authentication credentials
You will be provided with the following details during onboarding:
Client ID
Client Secret (associated to the Client ID)
Scope
Use the following links for each environment:
EMEA Production
With this information combination, you can authenticate/authorize and receive the access token.
How to obtain the access token (JWT)
The access token is formatted as a JWT (JSON Web Token).
The OAuth2.0 Client Credential grant flow is used to get the access token. Your application will need to have the Client ID and Client Secret stored securely.
Perform the following call to get your access token:
Request parameters
client_credentials- indicating that Client Credentials grant is in usescope- must be at least one custom scope received from Verifone; in case of multiple scope values, they need to be sent as space-separated values within a single string
Response parameters
access_token- contains the access token in JWT format RFC 7519.expires_in- contains the expiration time in seconds for the access token. Once the access token expires, you should send a new request to the authorization endpoint in order to re-authenticate your application.scope- contains the list of all the scopes associated with theaccess_token.
As per RFC 6749, a refresh token is not provided. If the request failed client authentication or is invalid, the authorization server will return a HTTP 400 (Bad Request) status code.
Example access token
If the credentials are valid, the application will receive back an access token in JSON Web Token (JWT).
Example access token:
To inspect the token, you can use Jwt.io or you can use the jwt command line tool.
Access Token Format
Obtained Access Token is in JWT format [RFC 7519].
Header
1
"alg"
RS256
Registered
2
"typ"
JWT
Registered
Payload
1
"sub"
"5f8a9877-965c-4d25-bc86-45d1cfc1c324"
Subject (User UUID)
Registered
2
"entity_id"
"a4994358-a475-4ee2-aefe-acefd622991c"
User associated Entity_id. The Entity ID can be found in Verifone Central under Administration → Organisations. The 'Organisation ID' listed is the Entity ID.
Private
4
"aud"
"Verifone View"
Audience - recipient for which the JWT is intended
Registered
5
"iat"
1516239022
Issued At Time
Registered
6
"exp"
NumericDate value
Expiration Time
Registered
7
"nbf"
1568783970
(Not Before Time) - Time before which the JWT must not be accepted for processing
Registered
8
"roles"
["MERCHANT_REVIEWER", "MERCHANT_DEVELOPER"]
User associated role(s)
Private
9
"jti"
TO6JCVdqS4hJB3_DzVurB3HOe9s
(JWT ID) - Unique identifier; can be used to prevent the JWT from being replayed
Registered
10
"scope"
Merchant Scope
Scopes (limit the API category that can be accessed)
Registered
11
"auditTrackingId"
cbadf943-c28c-450b-bd53-ef11c2b7d80c-17881178
AM correlation to audit trail
Private
12
"auth_level"
0
AM Authentication level
Private
13
"tokenName"
access_token
Token description
Private
14
"realm"
"/MerchantApp"
AM authentication realms
Private
Signature
The result of the following computation:
Using the JWT to authenticate in API calls
Once a access token has been obtained, this must be used in all API requests to any of the Verifone APIs.
This can be done by sending the access token as bearer token in the Authorization HTTP header.
Last updated
Was this helpful?