Wpay's SDK APIs use Bearer Authentication to authenticate requests.


Restricted API

This API is IP restricted to allow unauthenticated server-side calls.
Your servers will need to be on an allow list to allow refunds.

You will need to provide your API key (X-Api-Key) as a part of the header along with a bearer token (Authorization) for all API requests (unless otherwise stated).

Once the backend has the token it can be passed to the front end for use with the client-side APIs calls as part of the header.

Token Generation

APIs that require authentication need a signed JSON Web Token (JWT). This authentication token (prefixed with bearer) needs to be provided in the authorization HTTP header.

Example of how to generate a bearer token for your authentication calls via our IDM API :

curl --location \
--request POST 'https://{{environment}}' \
--header 'Content-Type: application/json' \
--header 'X-Api-Key: {{yourAPIKey}}' \
--data-raw '{
"shopperId": "70538197-f696-4f70-a025-93b03d48a03390",
"username": "[email protected]",
"isGuest": false
var myHeaders = new Headers();

var yourAPIkey = "YOUR-API-KEY";
myHeaders.append("Content-Type", "application/json");
myHeaders.append("X-Api-Key", yourAPIkey);

var raw = JSON.stringify({
  "shopperId": "1100000000092133",
  "username": "11000000000931263",
  "isGuest": false

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'

var environment = "substitute environment-value here"
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));


  • yourAPIKey contains your merchant API key which will be provided to you when joining Wpay
  • access_token_exp is the time in seconds in which the access token will expire. This will default to 1 hour should no value be provided.
  • shopperId is your unique customer identifier for your customer within your system. This is required to be unique for both registered and guest users. This should never be an email address or any other value that may change over time for the user.
  • isGuest is an optional boolean flag that can be set based on your user type. If the user is a registered user in your system set this to false or if they are a guest user set this to true. This will default to false.
    • Guest users are your customers who have not registered their details with your store and therefore they cannot permanently save instruments to their customer wallet for later use.

Authentication Environments

The {{environment}} variable can be set to the below to access the required environment for the authentication API.

User Acceptance Testinguat

Token Response

    "accessToken": "9ZhistH7jGgcao8QPH6ApAIsy2NW",
    "accessTokenExpiresIn": 3599,
    "refreshToken": "87eB6Pmp0x9I8x54NLtIYQo9nQ15FxoS",
    "refreshTokenExpiresIn": 2591999,
    "tokensIssuedAt": 1629782182152,
    "isGuestToken": false,
    "idmStatusOK": false


  • accessToken is the bearer token value to be used in subsequent endpoint calls
  • accessTokenExpiresIn is the time in seconds in which the access token will expire
  • tokensIssuedAt is an epoch time in milliseconds GMT: Tuesday, 24 August 2021 05:16:22.152