Skip to main content

1. Authorization

Integrating Hosted fields requires two separate authentications depending on the context of the request. This is done to ensure a high level of security. The contexts are defined below:

  • Server-side API calls
  • Client-side API calls

These contexts are differentiated by which key/token to use for authentication:

  • Server-side: An ApiKey must be used. These can be created using the Epay backoffice and will be valid as longs as the key exists.
  • Client-side: A SessionKey must be used. These are created when a session is initialized and are unique to the session they are associated with. A SessionKey is only valid as long as the session is active. If the key is lost, a new session must be started as this is the only way of obtaining a new SessionKey.

Epay requires the Authorization header to be present and conform to the standard of a Bearer token for validating requests:

Authorization: Bearer [SECRET_TOKEN]

Simply use either the ApiKey or SessionKey as the bearer token.