Authentication
Overview
The Forage Payments API supports two kinds of bearer tokens:
- Authentication Tokens: long-lived tokens used by backend servers to manage Sessions and Payments
- Session Tokens: short-lived tokens used by client applications to create Payment Methods and
GET
other objects created by your backend
Authentication Tokens
- Intended for use by your backend to make requests for creating Sessions and Payment objects
- Forage Authentication tokens are OAuth v2 bearer tokens, which are generated using the client id and client secret you created on the Forage Dashboard
- Authentication Token expiry can be set to a value between 1 and 30 days
- There can be up to 1000 active live bearer tokens for a client ID and client secret pair at any given time
- Use the Forage Dashboard to manage or disable an OAuth application
π
Generate a token
Open Recipe
It is extremely important to avoid exposing the OAuth client ID or client secret in a frontend application. Doing so allows attackers to generate an unlimited number of Authentication Tokens under your account and create fraudulent charges.
Session Tokens
- Intended for use by your clients to make frontend requests, which include:
- All SDK operations
- All operations related to Payment objects
POST
a new payment method/api/payment_methods
GET
or modify a payment method/api/payment_methods/<ref>
GET
orders/api/orders/<ref>
- Creating balance sessions for Custom Checkout
- Note: session tokens should not be used to create Sessions or Order objects
- Session tokens are JSON Web Tokens (JWTs) that can be created using an existing auth token
- Session tokens expire after 15 minutes, therefore it is more secure to expose short-lived session tokens than long-lived authentication on the frontend client
- When the customer arrives at checkout, your backend server should generate a session token and pass the session token to your frontend for all requests that the frontend must make
API Reference
Updated about 1 month ago