Authentication

POST /oauth2/token

Use this address to generate the authorization token that must be sent in the header of other requests. It is necessary to use the CLIENT_ID and CLIENT_SECRET defined in the credential provided by PicPay. Each authorization token generated will be valid for 5 (five) minutes, requiring a new token request. This flow must be included in your application.

For more details, see our page about the authentication process.

Request

application/json

Body

required

grant_type stringrequired

Possible values: [client_credentials]

Defines the oauth flow of the token request.

In the case of the PicPay Acquiring API, it is always client_credentials.

client_id stringrequired

Possible values: Value must match regular expression ^[\w\-]+$

client_secret stringrequired

Possible values: Value must match regular expression ^[\w]+$

Responses

Success response in authentication and update flow token.

application/json

Schema
Example (from schema)

Schema

access_token stringrequired

Possible values: Value must match regular expression ^([\w=]+)\.([\w=]+)\.([\w\-\+\/=]*)

expires_in int32required

refresh_expires_in int32

token_type stringrequired

Possible values: Value must match regular expression ^[\w]+$

not-before-policy int32

scope stringrequired

Possible values: Value must match regular expression ^[\w\.\- ]+$

A string with all scopes of the credential separated by a blank space

core-seller-id string

Possible values: Value must match regular expression ^[\d]+$

merchant-document string

Possible values: Value must match regular expression ^[\d]+$

seller-acquirer-id string

Possible values: Value must match regular expression ^[\d]+$

authorization_details

TokenResponseAuthorizationDetail[]

Array [

type string

Possible values: Value must match regular expression ^[\w]+$

account_id string

Possible values: Value must match regular expression ^[\w\-]+$

fingerprint string

Possible values: Value must match regular expression ^[\w\-]+$

display_name string

Possible values: Value must match regular expression ^[\w\- ]+$

]

{
  "access_token": "string",
  "expires_in": 300,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 1640873903,
  "scope": "p2b.paymentlink.transactional credential.client_secret.rotate",
  "core-seller-id": "000000",
  "merchant-document": "22896431000110",
  "seller-acquirer-id": "0000000005968341",
  "authorization_details": [
    {
      "type": "authorized_account",
      "account_id": "28a1586b-c810-48df-99ba-f1d304ba00f9",
      "fingerprint": "28a1586b-c810-48df-99ba-f1d304ba00f9",
      "display_name": "PicPay Wallet"
    }
  ]
}

400 Bad Request errors are caused by some failure during authentication. The following errors may be displayed:

invalid_client: Client authentication failed. For example, when the client includes client_id and client_secret in the authorization header, but there is no such client with that client_id and client_secret.
unauthorized_client: The client does not have permission for code grant flow or refresh tokens.
unsupported_grant_type: Returned if grant_type is different of authorization_code or refresh_token.

application/json

Schema
Example (from schema)

Schema

error stringrequired

Possible values: Value must match regular expression ^[\w]+$

error_description stringrequired

Possible values: Value must match regular expression ^[\w\.\-= ]+$

{
  "error": "unauthorized_client",
  "error_description": "Invalid client or Invalid client credentials"
}

Authentication

/oauth2/token

Request​

Body

Responses​

Request

Responses