API authentication
In this guide, we’ll walk you through how to authenticate with Volt API. Depending on your role as a customer—Merchant, Payment Service Provider (PSP), or Technical Service Provider (TSP)—you will need specific credentials to obtain an access token. Below, we outline the credential requirements for each type of customer:
- 
Merchants will need to provide both a client_idandclient_secret, representing their application, and ausernameandpasswordto access their data.
- 
PSPs (Payment Service Providers) must supply credentials for their application and additionally manage usernames and passwords for each merchant they support. 
- 
TSPs (Technical Service Providers) require similar credentials as PSPs, with merchants generating their own usernames and passwords for accessing data via the TSP’s integration. 
Where to find your client id and secret
Your client_id and client_secret are available for each application you have created in Fuzebox > Configuration > Applications
| How to create application credentials | Find in Fuzebox | 
Where to find the username and password
Your merchant will find their username and password in Fuzebox > Configuration > Customers
| How to generate customer credentials | Find in Fuzebox | 
Generate an access token
See the request and response for authentication described in our API docs.
Details of the steps within this flow are shown below:
- 
Partner authenticates with Volt by calling POST /oauthendpoint.
{
	"grant_type": "password",
	"client_id": "{client_id}",
	"client_secret": "{client_secret}",
	"username": "{username}",
	"password": "{password}"
}- In the response there will be an access_tokenproperty, among other things. Thisaccess_tokenallows you to communicate with the Volt API.
{
	"access_token": "ey...",
	"token_type": "Bearer",
	"expires_in": 86400,
	"refresh_token": "92y..."
}Using your access token
An access_token is valid for the number of seconds indicated by the expires_in value in the response for POST /oauth request. In the response there is also a refresh_token, which will be valid for 24 hours, allowing you to obtain a new access_token without needing to re-authenticate.
To access other endpoints in our API, you need to send the access_token in an HTTP header called “Authorization” in the format “Bearer {access_token}”. Note that Authorization must be spelled with a “z” and there’s a single space between Bearer and your access token.
Authorization: Bearer eyJ...In0