The Ezypay APIs use bearer tokens for authorization. To get your token for the first time, make a request to our Get Access Token endpoint:

curl -X POST \ \
  -H 'Authorization: application/x-www-form-urlencoded' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=password&username={username}&password={password}&client_id={client_id}&client_secret={client_secret}&scope=integrator%20billing_profile%20create_payment_method%20offline_access'

clientid and clientSecret is given to the partner / integrator once integration is completed

The merchant username, password is sent to merchants via a Welcome Email. To use your tokens, include it in the header of your requests:

-H "Authorization: Bearer {access_token}"

For security reasons, tokens expire in an hour. To refresh a token, call our Refresh Token endpoint:

When getting an access token, you will need to set the scope to:
"integrator billing_profile"

scope=integrator billing_profile create_payment_method offline_access

The changes required are summarised in the table below:

curl -X POST \ \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token&client_id={clientId}&client_secret={clientSecret}&refresh_token={refreshToken}'


Important Note:

If the refresh token option is used, Integrator and merchant must be aware that the refresh token will be automatically disabled if it was not used for 7 days.

A preferred option is to re-create a new Authentication Token once the Authentication Token has expired after an hour.

All requests must be sent over HTTPS

If no token is provided, or an invalid one is provided, an Authentication Error is returned. That error should be in the following format:

    "type": "authentication_error",
    "code": 400,
    "message": "400 - {\"error\":\"invalid_grant\",\"error_description\":\"The credentials provided were invalid.\"}"