Authentication guide

This guide describes how you can obtain an access token with the Oauth API. You need the access token to call the PagoNxt APIs.

PagoNxt APIs uses access tokens to make sure that that only applications authorized and approved can access API operations.

Although every API call requires an access token, the type of the token depends on the API: When the API handles protected resources on behalf of the resource owner, a “JWT profile” access token is used. This means that the app needs to generate a JWT Bearer token to retrieve the access token. The JWT Bearer token is used to identify the resource owner.

To obtain the access token to call API endpoints, which are protected with OAuth 2.0 JWT Bearer grant, you must first create a JWT Bearer token and then use it to request the JWT profile access token.

📘

The PagoNxt APIs are in constant development. As such, an API may only have certain environments available.

Introduction to authentication

Introduction to authentication
Access tokens are requested from a separate authentication API and are obtained by authorization and authentication:

  • Authorization is the process of verifying that you have access to the resource that you are requesting, in this case, the PagoNxt API.
  • Authentication is the process of verifying your identity.

These steps are needed to ensure that only approved applications can access an API, and that they can only access the resources they are permitted to access.

When requesting an access token for the PagoNxt APIs, you send a JWT Bearer token as part of a request to the Oauth API.

The JWT Bearer token is used by the Oauth API to verify your identity and, based on this information, the API confirms whether you are allowed to access the API. If the authorization and authentication steps are successful, the Oauth API provides you with an access token to use in API requests.

The following figure shows the authentication process for the One Trade APIs, where a client application requests an access token from the Oauth API and uses it in a request to the API.

Figure: One Trade API authentication process

Create a JWT Bearer token

A JWT Bearer token is included in the request body of an access token request. It allows One Trade to confirm the identity of the request sender and to check that they are permitted to access the API.

In the Sandbox Lite environment, you do not need to create or sign your own tokens for authentication. Instead, you must use the following predefined JWT Bearer token in your access token request:

eyJhbGciOiJSUzI1NiIsImtpZCI6InByb0d0c1RyYWRlSW50ZXJuZXQiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE2Nzk5OTYwNTMsImV4cCI6MTY5Mjk1NjA1MywibmJmIjoxNjc5OTk2MDUzLCJpc3MiOiI3Yzg2MGM1Zi02YTAyLTQ4OTUtYjNlMi1hZWQzYzJlOWU2ZDEiLCJzdWIiOiI3Yzg2MGM1Zi02YTAyLTQ4OTUtYjNlMi1hZWQzYzJlOWU2ZDEiLCJhdWQiOiJwYWdvbnh0IiwianRpIjoiODllNzI2NGEtYWE1OC00YmUwLTk4OGUtMWRhYTkyZWRhYTg0In0.OxsRwXYGGrur8Q-9Ink_qCP3aHRYEqt7akaR8TPmpG2wXoYTucYldjS21be3Pg-QqYN8OKeR-9x1x4Sxn2N1xoNUpQ8IBGgFlAxmf2wSsw9YAvzsWNWERR2SgFw7DiXZbPIJZV0RArzNY1o8dI053izzO3A0iy_EfbMkU-6Ix0l26jd8w0OfImOttRwv7GpHROqYQg3Eq3yjSzPbWYKb9n68EITQQODoIeYYuJ_UGTkZo5MlH9qP92wVGheRHlFfbtDKrULJ5ta3IbXIR9nr73wJ1uGoYqdp5yotcUeD4ZT5W0RhHZ4OWoQIKCRGxuR4dndGPUNKu9CariZc_dVUlw

Obtaining an access token

This section describes how to obtain the access token via an HTTP authentication request to the Oauth API. It also illustrates a successful response.

POST https://sandbox.onetrade.api.pagonxt.com/oauth/token

The request must contain the following headers

Header NameDescriptionRequired / OptionalValues
Content-TypeFormat of the request bodyRequiredapplication/x-www-form-urlencoded
AcceptFormat of the response bodyRequiredapplication/json

📘

The access token request does not use the Authorization header

The body must include the key-value pairs as shown in the following code:

The request must include the x-www-form-urlencoded key-value pairs shown in the following table:

KeyDescriptionData typeRequired / Optional
grant_typeAccess token grant type (Client credentials)StringRequired
scopeScope of the access token.
To provide multiple scopes, the values must be separated by a space.
For a list of possible values, please refer to the specific APIS.
StringRequired
client_assertion_typeAuthorization token grant type (JWT Bearer token)StringRequired
client_assertionPredefined JWT bearer token from the previous step.StringRequired

An example body can be seen:

{
  "grant_type": "string",
  "scope": "",
  "client_assertion_type": "...",
  "client_assertion": "..."
}

If the request is valid, you receive an HTTP 200 OK response, which means that an access token was successfully issued.

For further details of HTTP response codes and instructions on how to handle errors, see HTTP codes and request error handling.

In addition to the response code, the response body returns an access token.

{
  "access_token": "ebd5a47a-c792-4a70-881d-ae94973cac47-IE",
  "token_type": "bearer",
  "expires_in": 3599,
  "scope": "accounts.create accounts.read accounts.update accounts.close transactions.read paymentcamt056.create paymentcamt029.read paymentpacs002.read paymentpacs002-id.read paymentpacs008.create paymentpacs008.simulate"
}

🚧

You'll need the access_token key for calling following APIs


PagoNxt Emoney EDE, S.L. is an electronic money company that operates under the supervision of the Bank of Spain in accordance with the provisions of Law 21/2011, of July 26, on electronic money ("Electronic Money Law") a company with registered offices in Av. Cantabria s/n. 28660, Boadilla del Monte (Madrid) and holding tax no. B- 05284831. PagoNxt is registered in the register of the Bank of Spain with the number 6722 and in the Mercantile Registry of Madrid, volume 41.692, page 130, sheet M-738.547, 1st inscription). PagoNxt Payments UK Ltd. is authorised by the Financial Conduct Authority (FCA) under the Electronic Money Regulations 2011 and Payment Service Regulations 2017 (Firm Reference Number 989454) for the issuing of electronic money and provision of payment services. PagoNxt Payments UK Ltd. is registered in England and Wales (No. 12057109) with registered office at 2 Triton Square, Regent's Place, London, NW1 3AN, United Kingdom