Authentication
The API uses OAuth2 client-credentials. Exchange your client_id and client_secret for a short-lived Bearer access token, then send it on every request.
POST /oauth/token
This is the only unauthenticated endpoint. It is machine-to-machine and is never rate-limited out of your way.
Request body
Field | Type | Required | Description |
|---|---|---|---|
client_id | string | yes | Public key for the app, |
client_secret | string | yes | Secret key. Server-side only — never expose it client-side. |
cURL
curl -X POST https://<your-operator>/api/bridgepay/v1/oauth/token \
-H "Content-Type: application/json" \
-d '{"client_id":"pk_test_xxx","client_secret":"sk_test_xxx"}'Node.js
const r = await fetch(`${base}/oauth/token`, {
method: "POST", headers: { "Content-Type": "application/json" },
body: JSON.stringify({ client_id: CID, client_secret: SECRET }),
});
const { data } = await r.json();Python
r = requests.post(f"{BASE}/oauth/token",
json={"client_id": CID, "client_secret": SECRET})
data = r.json()["data"]PHP
$ch = curl_init("https://<your-operator>/api/bridgepay/v1/oauth/token");
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
CURLOPT_POSTFIELDS => json_encode(["client_id"=>$cid, "client_secret"=>$secret]),
CURLOPT_RETURNTRANSFER => true,
]);
$data = json_decode(curl_exec($ch), true)["data"];Response
Field | Type | Required | Description |
|---|---|---|---|
access_token | string | — | The Bearer token to send on every call. |
token_type | string | — | Always |
expires_in | integer | — | Seconds until expiry ( |
sandbox | boolean | — | Whether this app is in sandbox. |
Using the token
Authorization: Bearer at_...Lifetime & caching
Tokens last 1 hour. Cache and reuse one until it expires — don't mint a token per request.
On a
401, fetch a fresh token once and retry the original call.A token is bound to one app and only ever sees that app's data.
Rotating a leaked secret
Rotate the secret from the portal (Credentials → Rotate). Rotation is immediate and revokes every existing token, so deploy the new secret first, then rotate.
Keep the secret server-side
Never put client_secret in a browser, mobile app or public repo. Treat it like a password. For browser checkouts, use the hosted flow rather than embedding the secret.

