Authentication
Every Unipaas API call is authenticated. Which credential you use depends on where the call comes from: your server, or the browser.
Server to server
Section titled “Server to server”Server-side calls, the Pay-in, Account, and Payout APIs, the hosted onboarding link, and the checkout call, authenticate with your private key as a bearer token:
Authorization: Bearer <PLATFORM_API_KEY>That header is all a server-side request needs. The Quickstart runs a full call end to end.
Client to server
Section titled “Client to server”When your app calls Unipaas from the browser, such as the embedded onboarding UI, it must not use the
private key. Instead, your server calls POST /authorize with the private key to mint a short-lived
access token, scoped to the operations you name, and the browser uses that token.
curl -X POST https://sandbox.unipaas.com/platform/authorize \ -H "Authorization: Bearer <PLATFORM_API_KEY>" \ -H "Content-Type: application/json" \ -d '{ "scopes": ["onboarding_write"], "vendorId": "<VENDOR_ID>" }'scopes is required; vendorId is optional. The response returns the scoped token and its lifetime:
{ "accessToken": "eyJhbGciOiJI...", "expiresIn": "3600", "vendorId": "<VENDOR_ID>", "scopes": ["onboarding_write"]}The browser sends accessToken as its bearer token. It expires, so mint a new one when needed. Your
private key stays on your server, and the browser only ever holds a limited, temporary token.