Access Token

---

Tips

Authorization is a method for Service Providers to grant access to API requests from Service Users. The standards used
are:

• OAuth 2.0 is RFC6749 compliant
• Bearer tokens comply with RFC6750

In providing access to Service Users, Service Providers perform authentication to validate Service Users by Service
Providers. The means used are_credentials_ that are exchanged during the process of forming a partnership, namely client
secret and public/private key pairs , which are used together with certain cryptographic algorithms.

Request

---

Tips

Header Format Structure Components – Access Token

Service Code	73
Name	API Access Token B2B
Version	1.0
HTTP Method	POST
Path	.../{version}/access-token/b2b

Tips

API Header Format Structure for Access Token Request (B2B):

Area	Field	Attribute	Type	Description
Header	Content-Type	Mandatory	String	String represents indicate the media type of the resource (e.g. application/json, application/pdf)
	X-TIMESTAMP	Mandatory	String	Merchant's current local time in yyyy-MM-ddTHH:mm:ssTZD format
	X-CLIENT-KEY	Mandatory	String	Merchant_ID. Merchant’s merchant_id (PJP Name) (given at completion registration process)
	X-SIGNATURE	Mandatory	String	Non-Repudiation & Integrity checking with algorithm asymmetric signature
Body	grantType	Mandatory	String	Fixed Value, the value should be filled with "client_credentials"
	additionalInfo	Optional	Object	Additional Information

Notes: X-SIGNATURE X-grantType

1. X-SIGNATURE. SHA256withRSA(private_key, stringToSign). stringToSign = X-CLIENT- KEY + "|" + X-TIMESTAMP
2. Compose the string to sign: stringToSign = X-CLIENT- KEY + "|" + X-TIMESTAMP.
3. The signature string is generated from string to sign above with applying SHA-256 with RSA-2048 encryption using
   pkcs8 private key, and then encode the result to base64.
4. Put the signature string into HTTP header "X-SIGNATURE" when call API for applying B2B access token.
5. grantType. The client can request an access token using only its client credentials (Currently only support type
   is 'client_credentials') when the client is requesting access to the protected resources under its control (OAuth
   2.0: RFC 6749 & 6750)

Tips

1. which Merchant_ID you can find this page.Please note that the sandbox env is different from the production env.

Example Header – Transaction Request:

POST .../v1.0/access-token/b2b HTTP/1.2

Content-Type: application/json
Host: localhost:44339
X-TIMESTAMP: 2020-01-01T00:00:00+07:00
X-CLIENT-KEY: 10001
X-SIGNATURE: 07abc7c30d245c0ecce3ef6c2a9ac7...

Response

---

Tips

API header format structure for transaction response :

Area	Field	Attribute	Type	Description
Header	Content-Type	Mandatory	String	String represents indicate the media type of the resource (e.g. application/json, application/pdf)
	X-TIMESTAMP	Mandatory	String	Merchant's current local time in yyyy-MM-ddTHH:mm:ssTZD format

Tips

Example Header – Transaction Request:

Content-type: application/json
X-TIMESTAMP: 2020-12-17T10:55:00+07:00

Body Parameters

---

Area	Field	Attribute	Type	Description
Body	responseCode	Mandatory	String(32)	String Response code. success=2007300
	responseMessage	Mandatory	String(64)	String Response description
	accessToken	Mandatory	String	String representing an authorization issued to the client that used to access protected resources
	tokenType	Optional	String	String Access token type provides the client with the information required to successfully
	expiresIn	Optional	String	StringSession expiry in seconds: 900 (15 menit)
	additionalInfo	Mandatory	Merchant	Json String Additional Information

Notes: tokenType

1. "Bearer" : includes the access token string in the request
2. "Mac" : issuing a Message Authentication Code (MAC) key together with the access token that is used to sign certain
   components of the HTTP requests

{
    "responseCode":"2007300",
    "responseMessage":"Successful",
    "accessToken":"eyJhbG...cZ9.-7HRhcyEh4y0qsG2H3DRd...NU",
    "tokenType":"Bearer",
    "expiresIn":"900",
    "additionalInfo":{

    }
}