client_id and client_secret from the Developers section of your SaturnShift PSP portal, exchange them for an access token, and send that token on every API request.
Get a token
Send your credentials to the token endpoint. You can pass them in the form body or as HTTP Basic auth.Use the token
Send it as a bearer token on every request:Token lifetime and scopes
- Tokens expire after 1 hour (
expires_in: 3600). Cache the token and refresh on expiry or when you get a401. - Scopes are
transactions:readandmerchants:read. Request a subset with the optionalscopeparameter; you can never exceed what your client was granted.
Security
- Send the
client_secretin the body or via Basic auth. Never put it in the query string. - Store the secret server-side only.
- Rotate the secret any time from the Developers page. The previous secret stops working immediately.