Skip to main content

Authentication

This API uses OAuth 2.0 as the authorization method.

Your application asks for a specific authorization scope when the user authorizes it and gains access after the user approves it.

You need to register your application before you start, and after registration you will be assigned a unique uid and client_secret for OAuth authorization. Please note that the client_secret needs to be kept in a safe place and not shared with others.

OAuth Process (Client Credentials Model)

Step 1. Obtain an Access Token using Merchant ID and Client Secret

Your application server can request the /auth interface to obtain an Access Token with the obtained authorization code (code).

Consult sales for the interface address.

The interface parameters are as follows:

  • grant_type: indicates the authorization mode used, the value here is fixed to "client_credentials" (required)
  • uid: the merchant number you got when you registered the application (required)
  • client_secret: the client_secret you get when you register the app (required)

Example:

GET https://${domain_name}/mch-api/v1/auth?grant_type=client_credentials&uid=${your_uid}&client_secret=${your_client_secret}

You will receive a JSON response containing the Access Token (and other details), as shown in the following example:

HTTP/2 200 OK
Content-Type: application/json

{
    "access_token": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6",
    "expires_in": 3600
}

The access token expires by default in 3600 seconds, i.e. 60 minutes, after which the access token is reacquired.

Step 1. Accessing API Resources with an Access Token

You can use access tokens to invoke the API methods of this document.

Example:

curl https://${domain_name}/mch-api/v1/resource -H 'Authorization: Bearer ${access_token}'

If the access token is valid, the server will return the corresponding data to the application.