The Forage Payments API supports two kinds of bearer tokens:

  1. Authentication Tokens: long-lived tokens used by backend servers to manage Sessions and Payments
  2. Session Tokens: short-lived tokens used by client applications to create Payment Methods and GET other objects created by your backend

Authentication Tokens

  • Intended for use by your backend to make requests for creating Sessions and Payment objects
  • Forage Authentication tokens are OAuth v2 bearer tokens, which are generated using the client id and client secret you created on the Forage Dashboard
  • Authentication Token expiry can be set to a value between 1 and 30 days
  • There can be up to 1000 active live bearer tokens for a client ID and client secret pair at any given time
  • Use the Forage Dashboard to manage or disable an OAuth application


It is extremely important to avoid exposing the OAuth client ID or client secret in a frontend application. Doing so allows attackers to generate an unlimited number of Authentication Tokens under your account and create fraudulent charges.

Session Tokens

  • Intended for use by your clients to make frontend requests, which include:
    • All SDK operations
    • All operations related to Payment objects
    • POST a new payment method /api/payment_methods
    • GET or modify a payment method /api/payment_methods/<ref>
    • GET orders /api/orders/<ref>
    • Creating balance sessions for Custom Checkout
    • Note: session tokens should not be used to create Sessions or Order objects
  • Session tokens are JSON Web Tokens (JWTs) that can be created using an existing auth token
  • Session tokens expire after 15 minutes, therefore it is more secure to expose short-lived session tokens than long-lived authentication on the frontend client
  • When the customer arrives at checkout, your backend server should generate a session token and pass the session token to your frontend for all requests that the frontend must make

API Reference

What’s Next

To create a new Authentication Token, see the Generate Token request