Authentication

The Localpayment API uses OAuth 2.0 for authentication. To access protected resources, you need to obtain an access token and include it in the request using the Authorization header with the Bearer scheme.

Security

For both environments, it is imperative that all API requests adhere to the following security practices:

  • HTTPS Protocol: All communication with the Localpayment API must occur over HTTPS. This ensures that data transmitted between your server and our API is encrypted and protected from interception.

  • Server-Side Requests: API requests must originate from your secure server environment. Requests from client-side code (e.g., browser-based JavaScript) are strictly prohibited. This is crucial for protecting your API credentials and preventing unauthorized access.

  • IP Whitelisting: Your server's IP address must be added to the whitelist within the Localpayment dashboard to allow API calls. Without this step, requests to the API will be blocked for security reasons.

Adhering to these guidelines is essential for maintaining the security and integrity of your integration with the Localpayment API. Failure to comply may result in service disruption or security vulnerabilities.

Obtaining an Access Token

To generate an access token, send a request with the username and password provided by Localpayment to the authentication endpoint:

Access Token Request

curl --request POST \
     --url https://api.stage.localpayment.com/api/token/ \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "username": "[email protected]",
  "password": "password"
}
const url = 'https://api.stage.localpayment.com/api/token/';
const options = {
  method: 'POST',
  headers: {accept: 'application/json', 'content-type': 'application/json'}
};

fetch(url, options)
  .then(res => res.json())
  .then(json => console.log(json))
  .catch(err => console.error(err));
require 'uri'
require 'net/http'

url = URI("https://api.stage.localpayment.com/api/token/")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["accept"] = 'application/json'
request["content-type"] = 'application/json'

response = http.request(request)
puts response.read_body
<?php
require_once('vendor/autoload.php');

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.stage.localpayment.com/api/token/', [
  'headers' => [
    'accept' => 'application/json',
    'content-type' => 'application/json',
  ],
]);

echo $response->getBody();
import requests

url = "https://api.stage.localpayment.com/api/token/"

headers = {
    "accept": "application/json",
    "content-type": "application/json"
}

response = requests.post(url, headers=headers)

print(response.text)

Access Token Response

A successful response will return a JSON object containing the access and refresh token.

{
  "refresh": "eyJ0eXAiOiJKV1QiLCJhbGccM5kYO7o4iOiJIU18jaiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTczNTMxOTkyOSwianRpIjoiZWUxMDE3MTUwY2JhNGM1NTg0MjYyZmRkZTdiOThiNGQiLCJ1c2VyX2lkIjoxMDAwLCJzdXBlcnVzZXIiOnRydWUsImlzX3N0YWZmIjp0cnVlLCJybaCIsImV4cCI62xlcyI6WyJBTEwiXSwiY291bnRyaWVzIjpbIkFMTCJdLCJjb21wYW55IjoiQUxMIiwiY2xpZW50X2NvZGUiOiJBNzaW9uTEwiLCJwZXJtaXcyI6W119.6siymomkQ72yMvHGU9sMCO4h-cxpNgQXor",
  "access": "eyJ0eXAiOiJKV1QiLCJhJIUzI1NiJ9.eyJ0b2tlbl90eXBlIbGciOijoiYWNjZXNzIiwiZXhwIjoxNzM1MjMzODI5LCJqdGkiOiJiMDRmNzQ3YWEjOCIsIn4Mjg0YjM0YmMwN2Y4ZjVkOWM0NWFVzZXJfaWQiOjEwMDAsInN1cGVydXNlciI6dHJ1ZSwiaXNfc3RhZmYiOnRy3VudHJpZXMiOljpbIkFsiQUxMIl0sImNvbXBhbnkiOiJBTEwiLCJjbGllbnRfY29kZSI6IkFMTCIsInBlcm1pc3Npb25zIjpdWUsInJvbGVzIMTCJdLlqEnH7GrECJjbbXX0.sWOLKFxCcXQkUcPvTjYceXBp39hDF3-Snc"
}
  • access: The access token to be used in API requests.
  • refresh: A token used to obtain a new access token once it expires.

Using the Access Token

Include the access token in the Authorization header of your API requests as a Bearer token:

Authorization: Bearer eyJ...

Token Expiration

Access tokens obtained from this endpoint have a limited lifespan of 5 minutes to ensure security. After this period, the token will no longer be valid for authenticating API requests.

Default Expiration: Access tokens generated through this endpoint typically expire after 5 minutes (300 seconds).

If an access token is expired or invalid, the API will return a 401 Unauthorized response:

{
  "detail": "Given token not valid for any token type",
  "code": "token_not_valid",
  "messages": [
    {
      "token_class": "AccessToken",
      "token_type": "access",
      "message": "Token is invalid or expired"
    }
  ]
}

In such case, request a new token using the refresh token or re-authenticate if necessary.

Refreshing the Access Token

Once the access token expires, you can use the refresh token to obtain a new one. Generate a token only when the previous one has expired, there is no need to generate a new one with each call.

The refresh token has a lifetime of 24 hours. After this time, you will need to authenticate again by obtaining a new access token.

Refresh token Request

Send a POST request to the refresh token endpoint sending the refresh token value:

curl --request POST \
  --url https://api.stage.localpayment.com/api/token/refresh/ \
  --header 'Accept: application/json, text/html' \
  --header 'Content-Type: application/json' \
  --data '{
  "refresh": "eyJ0eXAiOiJKV1QiLCJhbGccM5kYO7o4iOiJIU18jaiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTczNTMxOTkyOSwianRpIjoiZWUxMDE3MTUwY2JhNGM1NTg0MjYyZmRkZTdiOThiNGQiLCJ1c2VyX2lkIjoxMDAwLCJzdXBlcnVzZXIiOnRydWUsImlzX3N0YWZmIjp0cnVlLCJybaCIsImV4cCI62xlcyI6WyJBTEwiXSwiY291bnRyaWVzIjpbIkFMTCJdLCJjb21wYW55IjoiQUxMIiwiY2xpZW50X2NvZGUiOiJBNzaW9uTEwiLCJwZXJtaXcyI6W119.6siymomkQ72yMvHGU9sMCO4h-cxpNgQXor"
}'
const url = 'https://api.stage.localpayment.com/api/token/refresh/';
const options = {
  method: 'POST',
  headers: {accept: 'application/json', 'content-type': 'application/json'}
};

fetch(url, options)
  .then(res => res.json())
  .then(json => console.log(json))
  .catch(err => console.error(err));
require 'uri'
require 'net/http'

url = URI("https://api.stage.localpayment.com/api/token/refresh/")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["accept"] = 'application/json'
request["content-type"] = 'application/json'

response = http.request(request)
puts response.read_body
<?php
require_once('vendor/autoload.php');

$client = new \GuzzleHttp\Client();

$response = $client->request('POST', 'https://api.stage.localpayment.com/api/token/refresh/', [
  'headers' => [
    'accept' => 'application/json',
    'content-type' => 'application/json',
  ],
]);

echo $response->getBody();
import requests

url = "https://api.stage.localpayment.com/api/token/refresh/"

headers = {
    "accept": "application/json",
    "content-type": "application/json"
}

response = requests.post(url, headers=headers)

print(response.text)

Refresh token Response

The new access token should be used for subsequent requests, and the new refresh token should be stored for future use.

{
  "refresh": "eyJ0eXAiOiJKV1QiLCJhbGccM5kYO7o4iOiJIU18jaiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTczNTMxOTkyOSwianRpIjoiZWUxMDE3MTUwY2JhNGM1NTg0MjYyZmRkZTdiOThiNGQiLCJ1c2VyX2lkIjoxMDAwLCJzdXBlcnVzZXIiOnRydWUsImlzX3N0YWZmIjp0cnVlLCJybaCIsImV4cCI62xlcyI6WyJBTEwiXSwiY291bnRyaWVzIjpbIkFMTCJdLCJjb21wYW55IjoiQUxMIiwiY2xpZW50X2NvZGUiOiJBNzaW9uTEwiLCJwZXJtaXcyI6W119.6siymomkQ72yMvHGU9sMCO4h-cxpNgQXor",
  "access": "eyJ0eXAiOiJKV1QiLCJhbeyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiGciOiJIUzI1NiJ9.ZXhwIjoxNzM1MjM1MTk1LCJqdGkiOiI3MzBiYTdiMzMyMGU0NWU2ODk4ZGRjNWVlODY1YzEyNSIsInVzZXJfaWQiOjEwMDAsdXNlciI6dHJ1ZSwiaXNfc3RInN1cGVyhZmYiOnRydWUsIm90cCI6MTExMTExLCJyb2xlcyI6WyJBTEwiXSwiY291bnRyaWVzIjpbIkGUiOiJBTEwiLCJwZXJtaXNzaW9ucMTCJdLCJjb21wYW55IjoiQUxMIiwiY2xpZW50X2NvZyI6W119.peiX9q9Vw72UKs8LCE3C3VSq2vaQm4Gq962gsSTm4Bn0"
}

The new access token should be used for subsequent requests, and the new refresh token should be stored for future use.

{
  "refresh": "eyJ0eXAiOiJKV1QiLCJhbGccM5kYO7o4iOiJIU18jaiJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTczNTMxOTkyOSwianRpIjoiZWUxMDE3MTUwY2JhNGM1NTg0MjYyZmRkZTdiOThiNGQiLCJ1c2VyX2lkIjoxMDAwLCJzdXBlcnVzZXIiOnRydWUsImlzX3N0YWZmIjp0cnVlLCJybaCIsImV4cCI62xlcyI6WyJBTEwiXSwiY291bnRyaWVzIjpbIkFMTCJdLCJjb21wYW55IjoiQUxMIiwiY2xpZW50X2NvZGUiOiJBNzaW9uTEwiLCJwZXJtaXcyI6W119.6siymomkQ72yMvHGU9sMCO4h-cxpNgQXor",
  "access": "eyJ0eXAiOiJKV1QiLCJhbeyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiGciOiJIUzI1NiJ9.ZXhwIjoxNzM1MjM1MTk1LCJqdGkiOiI3MzBiYTdiMzMyMGU0NWU2ODk4ZGRjNWVlODY1YzEyNSIsInVzZXJfaWQiOjEwMDAsdXNlciI6dHJ1ZSwiaXNfc3RInN1cGVyhZmYiOnRydWUsIm90cCI6MTExMTExLCJyb2xlcyI6WyJBTEwiXSwiY291bnRyaWVzIjpbIkGUiOiJBTEwiLCJwZXJtaXNzaW9ucMTCJdLCJjb21wYW55IjoiQUxMIiwiY2xpZW50X2NvZyI6W119.peiX9q9Vw72UKs8LCE3C3VSq2vaQm4Gq962gsSTm4Bn0"
}