Skip to content
Guides
Authentication

Authentication

Every Unipaas API call is authenticated. Which credential you use depends on where the call comes from: your server, or the browser.

Server-side calls, the Pay-in, Account, and Payout APIs, the hosted onboarding link, and the checkout call, authenticate with your private key as a bearer token:

Authorization: Bearer <PLATFORM_API_KEY>

That header is all a server-side request needs. The Quickstart runs a full call end to end.

When your app calls Unipaas from the browser, such as the embedded onboarding UI, it must not use the private key. Instead, your server calls POST /authorize with the private key to mint a short-lived access token, scoped to the operations you name, and the browser uses that token.

curl -X POST https://sandbox.unipaas.com/platform/authorize \
-H "Authorization: Bearer <PLATFORM_API_KEY>" \
-H "Content-Type: application/json" \
-d '{
"scopes": ["onboarding_write"],
"vendorId": "<VENDOR_ID>"
}'

scopes is required; vendorId is optional. The response returns the scoped token and its lifetime:

{
"accessToken": "eyJhbGciOiJI...",
"expiresIn": "3600",
"vendorId": "<VENDOR_ID>",
"scopes": ["onboarding_write"]
}

The browser sends accessToken as its bearer token. It expires, so mint a new one when needed. Your private key stays on your server, and the browser only ever holds a limited, temporary token.