Generate Authentication Token

October 6, 2021 at 9:50 AM

As part of registering in our system you will have received 2 values that are used for authentication. Failure to properly authenticate using these values will result in API failures and will prevent transaction processing.

  • API Identifier - a non-secure value that should be passed within the JWT under the iss claim.
  • API Key - a SECURE value that should only ever be known between you and Pay’nUp.

These two values are used to generate a valid token to handle authentication.

IMPORTANT!: Tokens must be generated in a secure place (server-side or compiled code). NEVER store or use the APIKey in a file that all customers can see, e.g.: javascript files. This value should only be used to sign the JWT and to verify a JWT signature from Pay’nUp. It should never be included within the JWT itself. To protect the integration partner account, it is important to keep the API Key confidential. Never include the API Key in transaction requests to Pay’nUp in cleartext. Do not share the API Key outside of the integration partner’s organization. Pay’nUp will never ask for the API Key, and will not deliver it via email.

Learn more about JWT’s

JWT Fields

A valid JWT used for to pass transactional data must have the following elements:

Please note that each key is case sensitive.

Claim Required Description
jti YES JWT Id - This is created by you and is a unique identifier that can be used to reference a particular JWT within our system.
iat YES Issued At Time - This is a timestamp of when the JWT was created.
iss YES Issuer - Identifies who is generating the JWT. This field should contain your API Identifier value provided to you during merchant registration.
exp NO Expire At Time - Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. By default a JWT will be considered expired by Pay’nUp after 2hrs.

JWT Example

Below is an example of the JSON content of a basic JWT Payload.

{
	"jti": "12345",
	"iat": 1514782800,
	"iss": "885A445614046CDB3B2F"
}

ApiKey: 17BEA3BE-8475-402A-8C6D-5CEB20A2A1E9

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIxMjM0NSIsImlhdCI6MTUxNDc4Mjgw
MCwiaXNzIjoiODg1QTQ0NTYxNDA0NkNEQjNCMkYifQ.weBhi5xK8w6scP2RdLn5ZbS-c8FRoq1Ig2
W9B3nV2qs

View in JWT.io

Currently the only supported algorithm is HS256

Generating a Server JWT

We recommend using an existing third party library to assist you in generating a JWT. The JWT.io website contains a list of approved libraries, with their feature sets. Check it out here.

The following is a basic example using php and firebase/php-jwt

<?php
use Firebase\JWT\JWT;

$key = "87E0C066-BD48-432D-99D3-EC4F07734C34"; //ApiKey
$transactionId = rand();

$token = [
    'jti' => $transactionId,
    "iss" => "885A445614046CDB3B2F", //ApiIdentifier
    "iat" => time()
];
$jwt = JWT::encode($token, $key);

echo 'Token: '.$jwt;

The token generated can be safely used in javascript files or other places, these tokens have a short live and commonly are used during a short time.