Authentication
Wpay's SDK APIs use Bearer Authentication to authenticate requests.
Restricted API
This API is IP restricted to allow unauthenticated server-side calls.
Your servers will need to be on an allow list to allow refunds.
You will need to provide your API key (X-Api-Key
) as a part of the header along with a bearer token (Authorization
) for all API requests (unless otherwise stated).
Once the backend has the token it can be passed to the front end for use with the client-side APIs calls as part of the header.
Token Generation
APIs that require authentication need a signed JSON Web Token (JWT). This authentication token (prefixed with bearer) needs to be provided in the authorization
HTTP header.
Example of how to generate a bearer token for your authentication calls via our IDM API :
curl --location \
--request POST 'https://{{environment}}.mobile-api.woolworths.com.au/wow/v1/idm/servers/token?access_token_exp=2592000&refresh_token_exp=2592000' \
--header 'Content-Type: application/json' \
--header 'X-Api-Key: {{yourAPIKey}}' \
--data-raw '{
"shopperId": "70538197-f696-4f70-a025-93b03d48a03390",
"username": "[email protected]",
"isGuest": false
}
'
var myHeaders = new Headers();
var yourAPIkey = "YOUR-API-KEY";
myHeaders.append("Content-Type", "application/json");
myHeaders.append("X-Api-Key", yourAPIkey);
var raw = JSON.stringify({
"shopperId": "1100000000092133",
"username": "11000000000931263",
"isGuest": false
});
var requestOptions = {
method: 'POST',
headers: myHeaders,
body: raw,
redirect: 'follow'
};
var environment = "substitute environment-value here"
fetch(
`https://${environment}.mobile-api.woolworths.com.au/wow/v1/idm/servers/token?access_token_exp=3600&refresh_token_exp=2592000`,
requestOptions
)
.then(response => response.text())
.then(result => console.log(result))
.catch(error => console.log('error', error));
Where:
yourAPIKey
contains your merchant API key which will be provided to you when joining Wpayaccess_token_exp
is the time in seconds in which the access token will expire. This will default to 1 hour should no value be provided.shopperId
is your unique customer identifier for your customer within your system. This is required to be unique for both registered and guest users. This should never be an email address or any other value that may change over time for the user.isGuest
is an optional boolean flag that can be set based on your user type. If the user is a registered user in your system set this tofalse
or if they are a guest user set this totrue
. This will default to false.- Guest users are your customers who have not registered their details with your store and therefore they cannot permanently save instruments to their customer wallet for later use.
Authentication Environments
The {{environment}}
variable can be set to the below to access the required environment for the authentication API.
Environment | Variable |
---|---|
Test: | test |
User Acceptance Testing | uat |
Token Response
{
"accessToken": "9ZhistH7jGgcao8QPH6ApAIsy2NW",
"accessTokenExpiresIn": 3599,
"refreshToken": "87eB6Pmp0x9I8x54NLtIYQo9nQ15FxoS",
"refreshTokenExpiresIn": 2591999,
"tokensIssuedAt": 1629782182152,
"isGuestToken": false,
"idmStatusOK": false
}
Where:
accessToken
is the bearer token value to be used in subsequent endpoint callsaccessTokenExpiresIn
is the time in seconds in which the access token will expiretokensIssuedAt
is an epoch time in millisecondsGMT: Tuesday, 24 August 2021 05:16:22.152
- reference Online epoch converter
Updated over 1 year ago