Authentication

The API uses OAuth2 client-credentials. Exchange your client_id and client_secret for a short-lived Bearer access token, then send it on every request.

POST /oauth/token

This is the only unauthenticated endpoint. It is machine-to-machine and is never rate-limited out of your way.

Request body

Field

Type

Required

Description

client_id

string

yes

Public key for the app, pk_test_… / pk_live_….

client_secret

string

yes

Secret key. Server-side only — never expose it client-side.

cURL

curl -X POST https://<your-operator>/api/bridgepay/v1/oauth/token \
  -H "Content-Type: application/json" \
  -d '{"client_id":"pk_test_xxx","client_secret":"sk_test_xxx"}'

Node.js

const r = await fetch(`${base}/oauth/token`, {
  method: "POST", headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ client_id: CID, client_secret: SECRET }),
});
const { data } = await r.json();

Python

r = requests.post(f"{BASE}/oauth/token",
                  json={"client_id": CID, "client_secret": SECRET})
data = r.json()["data"]

PHP

$ch = curl_init("https://<your-operator>/api/bridgepay/v1/oauth/token");
curl_setopt_array($ch, [
  CURLOPT_POST => true,
  CURLOPT_HTTPHEADER => ["Content-Type: application/json"],
  CURLOPT_POSTFIELDS => json_encode(["client_id"=>$cid, "client_secret"=>$secret]),
  CURLOPT_RETURNTRANSFER => true,
]);
$data = json_decode(curl_exec($ch), true)["data"];

Response

Field

Type

Required

Description

access_token

string

The Bearer token to send on every call.

token_type

string

Always Bearer.

expires_in

integer

Seconds until expiry (3600 = 1 hour).

sandbox

boolean

Whether this app is in sandbox.

Using the token

Authorization: Bearer at_...

Lifetime & caching

  • Tokens last 1 hour. Cache and reuse one until it expires — don't mint a token per request.

  • On a 401, fetch a fresh token once and retry the original call.

  • A token is bound to one app and only ever sees that app's data.

Rotating a leaked secret

Rotate the secret from the portal (Credentials → Rotate). Rotation is immediate and revokes every existing token, so deploy the new secret first, then rotate.

Keep the secret server-side

Never put client_secret in a browser, mobile app or public repo. Treat it like a password. For browser checkouts, use the hosted flow rather than embedding the secret.

Was this page helpful?