# Authentication
# V1
Authentication is provided by way of a JWT bearer token, that is provided in the response from the API. During the checkout journey, the interface will make an API request to either create or retrieve a transaction from the API. The response from the API will contain a token as a response header:
Request:
GET https://payments-2.netdirector.co.uk/api/transaction?uuid=5d081471-0c12-5183-a611-a1ed1d9bbacb-EU01&expand=customer,ndMeta
Response Headers:
authentication-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IjUxZmE5NGRiLWU1NWItNTdjNi1iZmZhLTFjNzczMDgyYzUwYyJ9.eyJpc3MiOiJFVTAxIiwiYXVkIjoiRVUwMSIsImlhdCI6MTY4MjQyNzE4Ni4zODM0ODUwNzg4MTE2NDU1MDc4MTI1LCJleHAiOjE2ODMwMzE5ODYuMzgzNDg1MDc4ODExNjQ1NTA3ODEyNSwianRpIjoiNTFmYTk0ZGItZTU1Yi01N2M2LWJmZmEtMWM3NzMwODJjNTBjIiwidG9rZW5EYXRhIjp7InR5cGUiOiJiYXNpYyIsImlkIjoiNTFmYTk0ZGItZTU1Yi01N2M2LWJmZmEtMWM3NzMwODJjNTBjIiwidHJhbnNhY3Rpb25zIjpudWxsLCJuZElkIjpudWxsLCJhY2NvdW50IjpudWxsLCJlbWFpbCI6bnVsbCwibGFzdExvZ2luIjpudWxsLCJudW1iZXJPZkxvZ2luIjpudWxsLCJjb25maWciOltdfX0.HT8tXH786jLyll4WwhjPXmOo0sBeZtplaLRAM82Hz_o
This token represents the users session, which may be authenticated or anonymous. The token should be attached to all subsequent API requests as the Authorization header:
GET /api/transaction?uuid=5d081471-0c12-5183-a611-a1ed1d9bbacb-EU01&expand=customer,ndMeta
authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IjUxZmE5NGRiLWU1NWItNTdjNi1iZmZhLTFjNzczMDgyYzUwYyJ9.eyJpc3MiOiJFVTAxIiwiYXVkIjoiRVUwMSIsImlhdCI6MTY4MjQyNzE4Ni4zODM0ODUwNzg4MTE2NDU1MDc4MTI1LCJleHAiOjE2ODMwMzE5ODYuMzgzNDg1MDc4ODExNjQ1NTA3ODEyNSwianRpIjoiNTFmYTk0ZGItZTU1Yi01N2M2LWJmZmEtMWM3NzMwODJjNTBjIiwidG9rZW5EYXRhIjp7InR5cGUiOiJiYXNpYyIsImlkIjoiNTFmYTk0ZGItZTU1Yi01N2M2LWJmZmEtMWM3NzMwODJjNTBjIiwidHJhbnNhY3Rpb25zIjpudWxsLCJuZElkIjpudWxsLCJhY2NvdW50IjpudWxsLCJlbWFpbCI6bnVsbCwibGFzdExvZ2luIjpudWxsLCJudW1iZXJPZkxvZ2luIjpudWxsLCJjb25maWciOltdfX0.HT8tXH786jLyll4WwhjPXmOo0sBeZtplaLRAM82Hz_o
# V2
The V2 API will not accept a V1 token, in order to access the V2 API an access token is required.
# Requesting an access token
# Credentials
Partner credentials can be requested from the NOP2 product owner (David Dixon), they will be in the following format:
{
ClientId: string
ClientSecret: string
}
When requesting an access token, the ClientID and ClientSecret should be used as the username and password of a base64 encoded basic auth string e.g:
echo "myClientId:myClientSecret" | base64
// bXlDbGllbnRJZDpteUNsaWVudFNlY3JldAo=
# Staging
curl --request POST \
--url https://nop2.api.staging.netdirector.auto/oauth2/token \
--header 'Authorization: Basic bXlDbGllbnRJZDpteUNsaWVudFNlY3JldAo=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data 'scope=nop2/read nop2/write'
# Production
curl --request POST \
--url https://nop2.api.netdirector.auto/oauth2/token \
--header 'Authorization: Basic bXlDbGllbnRJZDpteUNsaWVudFNlY3JldAo=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data 'scope=nop2/read nop2/write'
# Response
The access token should be cached and re-used based on the returned "expires_in" value. After which time it will be expired and cease to function.
{
"access_token": "eyJraWQiOiJtT1FtUXZyUX....",
"expires_in": 3600,
"token_type": "Bearer"
}
# Using the access token
The access token that is returned should be included as the authorization bearer token for all V2 API requests:
GET /api/v2/transaction?filter[uuid]=2b7178d3-0849-5e06-9e7e-46bf8a403154-EU01&expand=extras
> authorization: Bearer eyJraWQiOiIrTUxFZ3RWbjcrbVNJRzc3Qjl4N0hFZktKVm5uM2pZTEppS0VTeWNsWlRVPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI0NG9sbXMyNm1raXJnNDRrM3FqamQ2bGU1diIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoibm9wMlwvcmVhZCBub3AyXC93cml0ZSIsImF1dGhfdGltZSI6MTY3OTU4MzE4NCwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG
# Errors
If the API receives a request for a protected V2 endpoint, which does not have a valid access token then a 401 Unauthorized error will be returned.