API authentication

In this guide, we’ll walk you through how to authenticate with Volt API. Depending on your role as a customer—Merchant, Payment Service Provider (PSP), or Technical Service Provider (TSP)—you will need specific credentials to obtain an access token. Below, we outline the credential requirements for each type of customer:

  1. Merchants will need to provide both a client_id and client_secret, representing their application, and a username and password to access their data.

  2. PSPs (Payment Service Providers) must supply credentials for their application and additionally manage usernames and passwords for each merchant they support.

  3. TSPs (Technical Service Providers) require similar credentials as PSPs, with merchants generating their own usernames and passwords for accessing data via the TSP’s integration.

Where to find your client id and secret

Your client_id and client_secret are available for each application you have created in Fuzebox > Configuration > Applications

How to create application credentials Find in Fuzebox

Where to find the username and password

Your merchant will find their username and password in Fuzebox > Configuration > Customers

How to generate customer credentials Find in Fuzebox

Generate an access token

See the request and response for authentication described in our API docs.

Details of the steps within this flow are shown below:

  1. Partner authenticates with Volt by calling POST /oauth endpoint.

POST /oauth
{
	"grant_type": "password",
	"client_id": "{client_id}",
	"client_secret": "{client_secret}",
	"username": "{username}",
	"password": "{password}"
}
  1. In the response there will be an access_token property, among other things. This access_token allows you to communicate with the Volt API.
POST /oauth response
{
	"access_token": "ey...",
	"token_type": "Bearer",
	"expires_in": 86400,
	"refresh_token": "92y..."
}

Using your access token

An access_token is valid for the number of seconds indicated by the expires_in value in the response for POST /oauth request. In the response there is also a refresh_token, which will be valid for 24 hours, allowing you to obtain a new access_token without needing to re-authenticate.

To access other endpoints in our API, you need to send the access_token in an HTTP header called “Authorization” in the format “Bearer {access_token}”. Note that Authorization must be spelled with a “z” and there’s a single space between Bearer and your access token.

Authorization: Bearer eyJ...In0