Skip to main content

Security

To access our API, you have to obtain access token first; this token is a string of arbitrary length (30+ chars) and it has to be included in HTTP header to every request to API. This section describes way to obtain valid access token and use it to access protected resources.

  • to obtain access token, use /authentication/v1/partner resource with appropriate parameters.

  • access token should be present in every request using request header Authorization, with type Bearer. If your access token has value secret_token, it should be specified as follows:

    Authorization: Bearer secret_token

So the real example using curl will look like:


curl -H "Authorization: Bearer secret_token" https://api.partner.skippay.cz/financing/v1/applications

  • access token has limited time validity (for 2 hours). After it is expired, you have to obtain new one using /authentication/v1/partner resource.

  • if you fail to specify access token, you will receive 401 Unauthorized error and following response body:

{
"error_description": "The access token is missing",
"error": "invalid_request"
}
  • if you provide invalid access token, you will receive 401 Unauthorized error and following response body:
{
"error_description":"The access token is invalid or has expired",
"error":"invalid_token"
}

💡 See Login endpoint

IMPORTANT NOTE: You must keep your access token and login credentials safe. NEVER put login credentials nor access token into client page. If you plan to integrate API calls in client flow without submitting the page to server, you should implement REST endpoint bound to your shopping basket session, that will be used as a proxy to call Skip Pay API.

NEVER transfer access token nor login credentials over plain HTTP. Such requests will be refused.