API authentication
In this guide, we’ll walk you through how to authenticate with Volt API. Depending on your role as a customer—Merchant, Payment Service Provider (PSP), or Technical Service Provider (TSP)—you will need specific credentials to obtain an access token. Below, we outline the credential requirements for each type of customer:
-
Merchants will need to provide both a
client_id
andclient_secret
, representing their application, and ausername
andpassword
to access their data. -
PSPs (Payment Service Providers) must supply credentials for their application and additionally manage usernames and passwords for each merchant they support.
-
TSPs (Technical Service Providers) require similar credentials as PSPs, with merchants generating their own usernames and passwords for accessing data via the TSP’s integration.
Where to find your client id and secret
Your client_id
and client_secret
are available for each application you have created in Fuzebox > Configuration > Applications
How to create application credentials | Find in Fuzebox |
Where to find the username and password
Your merchant will find their username
and password
in Fuzebox > Configuration > Customers
How to generate customer credentials | Find in Fuzebox |
Generate an access token
See the request and response for authentication described in our API docs.
Details of the steps within this flow are shown below:
-
Partner authenticates with Volt by calling
POST /oauth
endpoint.
{
"grant_type": "password",
"client_id": "{client_id}",
"client_secret": "{client_secret}",
"username": "{username}",
"password": "{password}"
}
- In the response there will be an
access_token
property, among other things. Thisaccess_token
allows you to communicate with the Volt API.
{
"access_token": "ey...",
"token_type": "Bearer",
"expires_in": 86400,
"refresh_token": "92y..."
}
Using your access token
An access_token
is valid for the number of seconds indicated by the expires_in
value in the response for POST /oauth
request. In the response there is also a refresh_token
, which will be valid for 24 hours, allowing you to obtain a new access_token
without needing to re-authenticate.
To access other endpoints in our API, you need to send the access_token
in an HTTP header called “Authorization” in the format “Bearer {access_token}”. Note that Authorization must be spelled with a “z” and there’s a single space between Bearer
and your access token.
Authorization: Bearer eyJ...In0