Banked uses a HTTP Authorization header. The exact authentication method differs, depending on whether you are a merchant, or a partner. If you are unsure, please get in touch with our Customer Success team.

Merchant Authentication

Every request should have the header: Authorization: Basic base64(key:secret). You need to Base64 encode the string key:secret.
You can find both your test and production API key and secret in your Banked console.

Partner Authentication

All authorization calls made by our partners use OAuth2 as an authentication method. This includes all Partner API calls, as well as all Payments API calls.

Generating an OAuth token
When you have been onboarded as a Banked partner, you will be issued with a set of credentials, an API key and secret, by your onboarding team. You will use these to generate OAuth tokens.

When generating OAuth tokens, you will need to have an Authorization header using your API key and secret: Authorization: Basic base64(key:secret). OAuth tokens can be:

  • Unscoped - to use any of the Partner API calls, you will need to use unscoped OAuth token
  • Scoped to a Business application - any of the Banked Payments API calls need to be scoped to a Business Application. You can get an application ID from the GET Business Applications API call.

An example of a scoped token request will look like the following:

curl --location --request POST 'https://api.banked.com/oauth/token' \
--header 'Authorization: Basic base64(key:secret)' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=APPLICATION_ID'

Your response will look something like the below:

{
    "access_token": "YOUR_TOKEN",
    "token_type": "Bearer",
    "expires_in": 7200,
    "scope": "APPLICATION_ID",
    "created_at": 1615831274
}

You can now use your OAuth token on your API calls. Don't forget that the tokens expire after 2 hours, to ensure constant rotation!

Using an OAuth token

Every request should have the header: Authorization: Bearer YOUR_TOKEN.
Unscoped tokens can be used for the Banked Partner API, and tokens scoped to a Business Application can be used for all other API calls.