Authentication

Vpay uses OAuth2 client credentials (via Keycloak) to issue JWT access tokens for server-to-server API calls.

Obtain a token

POST /api/public/security/auth

Field	Type	Required	Description
`client_id`	string	Yes	Terminal client ID (OAuth2 client)
`client_secret`	string	Yes	Terminal client secret

Response:

Field	Type	Description
`token`	string	JWT access token
`expiresIn`	number	Token lifetime in seconds

curl -X POST "{sandboxBaseUrl}/api/public/security/auth" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'

Invalid credentials return 401 with a ProblemDetails body.

Use the token

Include the token on every protected endpoint:

Authorization: Bearer {token}

Protected routes require:

Authentication scheme: vpay (JWT validation)
Role: VpayTerminal

Your terminal is bound to the client_id used at authentication time.

Optional correlation header

You may send an operation correlation ID on any request:

X-idoperacion: your-unique-operation-id

This helps Vpay support trace requests across systems. It is optional but recommended for production integrations.

Token lifecycle

Request a new token before expiresIn elapses.
Do not embed tokens in client-side code or public pages.
Store client_secret only on your backend.

Get auth token

Full endpoint reference for POST /api/public/security/auth.

​Authentication

​Obtain a token

​Use the token

​Optional correlation header

​Token lifecycle

​Related