Worldline | API Authentication

API authentication

The Acquiring API uses OAuth 2.0 client credentials flow for authentication. This involves obtaining an access token by providing your client credentials (client id and client secret) to our token endpoint. Once obtained, this token must be included in the headers of your API requests. This page explains this mechanism in details.

If you are using one of our SDKs, you will not have to implement these actions.

Obtaining credentials

To obtain your Client ID and Client Secret, you must reach out to your contact point at Worldline. You would be provided appropriate permissions as discussed in the scopes below.

processing_payment : Allows to create, get and make actions on payments.
processing_refund : Allows to create, get and make actions on standalone refunds.
processing_credittransfer : Allows to create and get a credit transfer.
processing_accountverification : Allows to perform an account verification.
processing_operation_reverse : Allows to reverse an operation.
processing_dcc_rate : Allows to request a dynamic currency conversion (DCC) rate.
services_ping : Allows to test the connection to the API.

Obtaining an Access Token

To obtain an access token, send a POST request to our token endpoint with your client ID and client secret.

Endpoint:

POST https://auth-test-eu-west-1.aws.bambora.com/connect/token (pre-production environment)
POST https://auth.bambora.com/connect/token (production environment)

Content-Type: application/x-www-form-urlencoded

Body:

grant_type: "client_credentials" scope: "processing_payment processing_refund"

The scope field must contain a list of permissions (separated by a whitespace) that you want to use with the returned token. The permissions that you are using here must have been granted to your client id upon issuance.

Response:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjVBRDJFNkEzMTA4MkU4OThGOTZEMDQxRjMzMjc2RDRFQzRGRUI4RDciLCJ0eXAiOiJKV1QiLCJ4NXQiOiJXdExtb3hDQzZKajViUVFmTXlkdFRzVC11TmMifQ.eyJuYmYiOjE3MjcxNjQ3MjQsImV4cCI6MTcyNzE2ODMyNCwiaXNzIjoiaHR0cHM6Ly9hdXRoLXRlc3QtZXUtd2VzdC0xLmF3cy5iYW1ib3JhLmNvbSIsImF1ZCI6WyJodHRwczovL2F1dGgtdGVzdC1ldS13ZXN0LTEuYXdzLmJhbWJvcmEuY29tL3Jlc291cmNlcyIsInByb2Nlc3NpbmdfcGF5bWVudCIsInByb2Nlc3NpbmdfcmVmdW5kIl0sImNsaWVudF9pZCI6ImQ2NzQzMjQyLTE5OGYtNDMxZC04NmZkLTUxMmZhNDgyMDQ4MSIsInByaXZpbGVnZXMiOiJ7XCJ2ZXJzaW9uXCI6MSxcInByaXZpbGVnZXNcIjpbe1wibWVyY2hhbnRzXCI6W1wiMFwiXSxcInNjb3Blc1wiOltcInByb2Nlc3NpbmdfcGF5bWVudFwiLFwicHJvY2Vzc2luZ19yZWZ1bmRcIl19XX0iLCJzY29wZSI6WyJwcm9jZXNzaW5nX3BheW1lbnQiLCJwcm9jZXNzaW5nX3JlZnVuZCJdfQ.CyJ3OJnryqDPirO6J_oI6grdSnsSMDytrdr_IAKV4qbv03DLu9lR-XElzTeaXPYtXB_zlIhzt1EGxl9dvX6TDS3u17hKboqlV294mi_T2eGyjU5G_f-eVIE7cYVQrbmg0FsuvnTX42JoF1XtS9QZs7qCED6eGd2ADLx21rW7gYZ223XGJMPpSLvIz4DF0eJECenG416NfsEw5BNQfq0UFP1Aim5bf3d6-Hmj518HjcY3rnToCx4Lr8eDBI-3uvqjWwYm76F9p5SNo90Ge-eUxDH8RHPqXEX8tB0DAjPa8IdHgRorr1SbEZeK2ctinKRzOfXIWsYC4c9WCa1OKrzxRg",
    "expires_in": 3600,
    "token_type": "Bearer"
}

Using the Access Token

After obtaining the access token, you must include it in the Authorization header of your API requests, as shown in the example below.

Endpoint:

POST https://api.acquiring.worldline-solutions.com/processing/v1/100001/200001/payments

Content-Type: application/json

HTTP Header:

Authorization: "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjVBRDJFNkEzMTA4MkU4OThGOTZEMDQxRjMzMjc2RDRFQzRGRUI4RDciLCJ0eXAiOiJKV1QiLCJ4NXQiOiJXdExtb3hDQzZKajViUVFmTXlkdFRzVC11TmMifQ.eyJuYmYiOjE3MjcxNjQ2NjQsImV4cCI6MTcyNzE2ODI2NCwiaXNzIjoiaHR0cHM6Ly9hdXRoLXRlc3QtZXUtd2VzdC0xLmF3cy5iYW1ib3JhLmNvbSIsImF1ZCI6WyJodHRwczovL2F1dGgtdGVzdC1ldS13ZXN0LTEuYXdzLmJhbWJvcmEuY29tL3Jlc291cmNlcyIsIndsX3BheW1lbnRfY3JlYXRlIl0sImNsaWVudF9pZCI6ImQ2NzQzMjQyLTE5OGYtNDMxZC04NmZkLTUxMmZhNDgyMDQ4MSIsInByaXZpbGVnZXMiOiJ7XCJ2ZXJzaW9uXCI6MSxcInByaXZpbGVnZXNcIjpbe1wibWVyY2hhbnRzXCI6W1wiMFwiXSxcInNjb3Blc1wiOltcIndsX3BheW1lbnRfY3JlYXRlXCJdfV19Iiwic2NvcGUiOlsid2xfcGF5bWVudF9jcmVhdGUiXX0.N2kvmJewxo7OvrkUJfoHQLTvbgFAi5JBXSgLkAQ5p2TZRl4-38H_MDzLLpD3Vi7IlFg1fg76mglSSH2WRHSTe43atXZBHZYSb5YJDl8RDgxFZj1uulMEZCIc1iqJFuHg0PCjKvQXs6UiB79-KLfI-9qfMSdJ6end4hC9APl31Vy_W2d_yiPBWVEW33CQSXCzDyxfrce4IHRG0dwNobXiWQ6lYG02G4hv76rn6VuhLEa_UiRa_ZAPjdb01_Kd0IypKd8FIJgphxE78-Pzr0S9hEpLrXwDUKaEafjzT8e23gvmwv3JlfGWfvUe0CIcyUQV2mGIRislEZ-dq-DQ8kdv6A "

The part in italic after Bearer corresponds to the token retrieved in the previous step.

Access token expiration

The access token has a lifetime of 1 hour (as indicated in the expires_in field, expressed in seconds and returned when you get the token). As we are following OAuth 2 client credentials, there is no token refresh mechanism, you just have to request a new token.