Skip to main content

Online Payments

API authentication

Last updated: 17-May-2022
Rate this article:

Obtaining API Keys

   The expiration date of API Keys is one year from the date of activation. The system automatically sends email notifications every week during the last three months and every day during the last week before the expiration date.

In the recent update of Entity Service and Verifone Central it is now possible to generate the API Keys directly in the Admin Panel. 

To obtain the keys, follow the steps below.

  1. Ensure the valid user logs into the necessary site.
  2. Navigate to the user settings at the top right corner and select the "API Keys" option from the dropdown menu.

    API Keys Menu Icon

  3. On the API Keys page, click the "Create API Key" button.

    Create API key

  4. To copy the key, click the "Copy public key" button and paste it to a safe location. Once the key has been copied, the success message will appear at the right bottom corner of your screen. Remember that your API key expiration period is one year.

    API Key Created

    API Keys Page

  5. Navigate back to the "My Account" page.

    My Account

  6. Locate your "user-uid" by highlighting and copying the rest of the URL in your browser's address field. See the screenshot below.

    Locating user-uid

Encoding API Key

To encode API keys, follow the authentication method below.

  1. Indicate Authorization: Basic "user-uid:api key" in the header.
  2. Replace the "user-uid" and "api key" values with the necessary ones.
  3. Encode the whole string in base64.

For example:
The following "user-uid:api key" string 777c31b3-a85f-4823-93a5-9055d1b:cGEFFLjYuUCtmerXlhTfAdaPpYVnXDJZmg

results in a base64 Nzc3YzMxYjMtYTg1Zi00ODIzLTkzYTUtOTA1NWQxYjpjR0VGRkxqWXVVQ3RtZXJYbGhUZkFkYVBwWVZuWERKWm1n

Thus, the header should look like this:

Authorization: Basic Nzc3YzMxYjMtYTg1Zi00ODIzLTkzYTUtOTA1NWQxYjpjR0VGRkxqWXVVQ3RtZXJYbGhUZkFkYVBwWVZuWERKWm1n

Setting up Basic Auth in Postman

To set up Basic Auth in Postman, follow the steps below. Additionally, you can create a new collection by downloading our OpenAPI specification file available here.

  1. Navigate to the GET Health check menu item on the Collections page.
  2. Click the Authorization menu item below the request URL field.
  3. Choose the Basic Auth option from the Type dropdown list.
  4. To send the request, paste your "user-uid" into the username field and "api key" into the password. See the screenshot below.

    Basic Auth in Postman

Authenticate using OAuth 2.0

Alternatively, OAuth 2.0 can be used together with the Client ID, Client Secret and Scope. This information is provided during onboarding.

Using the provided credentials, you will be able to generate a JWT access token that needs to be used in all API calls.

Prerequisite to using APIs

To authenticate with the Verifone APIs, you must obtain an access token. This access token is attached to API requests and inspected for a valid signature and expiration time when performing API calls.

How to obtain the authentication credentials

You will be provided with the following details during onboarding:

  • Client ID
  • Client Secret (associated to the Client ID)
  • Scope

Use the following links for each environment:

US Production
EMEA Production
NZ Production
AU Production
Global Sandbox

With this information combination, you can authenticate/authorize and receive the access token.

How to obtain the access token

The access token is formatted as a JWT (Json Web Token).

The OAuth2.0 Client Credential grant flow is used to get the access token. Your application will need to have the Client ID and Client Secret stored securely.

Perform the following call to get your access token:

curl -k --request POST \
--data "grant_type=client_credentials" \
--data "client_id=${CLIENT_ID}" \
--data "client_secret=$CLIENT_SECRET}" \
--data "scope=${SCOPE}" \

Request parameters

  • client_credentials - indicating that Client Credentials grant is in use
  • scope - must be at least one custom scope received from Verifone; in case of multiple scope values, they need to be sent as space-separated values within a single string

Response parameters

  • access_token: Contains the access token in JWT format RFC 7519.
  • expires_in: Contains the expiration time in seconds for the access token. Once the access token expires, you should send a new request to the authorization endpoint in order to re-authenticate your application.
  • scope - Contains the list of all the scopes associated with the "access_token".

As per RFC 6749, a refresh token is not provided. If the request failed client authentication or is invalid, the authorization server will return a HTTP 400 (Bad Request) status code.

Example access token

If the credentials are valid, the application will receive back an access token in JSON Web Token (JWT).

Example access token:


To inspect the token, you can use or you can use the jwt command line tool.

$ cat Token.txt | xargs  jwt decode

Token header
  "typ": "JWT",
  "alg": "RS256",
  "kid": "wU3ifI23aqasB/FG6eM1P1QM="

Token claims
  "aud": "VerifoneOauth",
  "auditTrackingId": "7cec23db-555-6666-7777-999999999-47436",
  "authGrantId": "K8QuHaqbzUJAQWSM8waZFazn8",
  "auth_time": 1596970875,
  "entity_id": "81049fd1-6126-4d41-8416-aa356c498cca",
  "exp": 1596971055,
  "expires_in": 180,
  "grant_type": "client_credentials",
  "iat": 1596970875,
  "iss": "",
  "jti": "vkQgMdem7nmUa2-OQYxtJ3WP0-A",
  "nbf": 1596970875,
  "realm": "/VerifoneServices",
  "roles": "[VERIFONE_TEST]",
  "scope": [
  "sub": "59beb037-d64a-4228-8364-0ed540205fd5",
  "tokenName": "access_token",
  "token_type": "Bearer"

Access Token Format

Obtained Access Token is in JWT format [RFC 7519].


# Claim Content Claim Name Claim type
1 "alg" RS256 Hashing algorithm (RS256 - RSASSA-PKCS-v1_5 using SHA-256) Registered
2 "typ" JWT The type of the token Registered
3 "kid" Key Identifier ("1ee4d9e7dcfef215d133c7ed7ac87c95f8d8e712") Key ID (which key was used to secure the JWS) Registered[RFC7515]


# Claim Content user ID Claim type
# Claim Content Claim Name Claim type
1 "sub" "5f8a9877-965c-4d25-bc86-45d1cfc1c324" Subject (User UUID) Registered
2 "entity_id" "a4994358-a475-4ee2-aefe-acefd622991c" User associated Entity_id. The Entity ID can be found in Verifone Central under Administration → Organisations. The 'Organisation ID' listed is the Entity ID. Private
3 "iss" " /root/realms/MerchantApp" Issuer Registered
4 "aud" "Verifone View" Audience - recipient for which the JWT is intended Registered
5 "iat" 1516239022 Issued At Time Registered
6 "exp" NumericDate value Expiration Time Registered
7 "nbf" 1568783970 (Not Before Time) - Time before which the JWT must not be accepted for processing Registered
8 "roles" ["MERCHANT_REVIEWER", "MERCHANT_DEVELOPER"] User associated role(s) Private
9 "jti" TO6JCVdqS4hJB3_DzVurB3HOe9s (JWT ID) - Unique identifier; can be used to prevent the JWT from being replayed Registered
10 "scope" Merchant Scope Scopes (limit the API category that can be accessed) Registered
11 "auditTrackingId" cbadf943-c28c-450b-bd53-ef11c2b7d80c-17881178 AM correlation to audit trail Private
12 "auth_level" 0 AM Authentication level Private
13 "tokenName" access_token Token description Private
14 "realm" "/MerchantApp" AM authentication realms Private


The result of the following computation:

JWT_Hash = SHA256(Header + Payload)
JWT_Signature = RS256(JWT_Hash, Private_key)


Using the JWT to authenticate in API calls

Once a access token has been obtained, this must be used in all API requests to any of the Verifone APIs.

This can be done by sending the access token as bearer token in the Authorization HTTP header.

   -H "Accept: application/json"
   -H "Authorization: Bearer {token}"


Rate this article:
Logo of Verifone