Access Tokens

An access_token is a unique string of letters and numbers that you pass with every API call, so WePay knows you are authorized to make that call.

Each access_token is associated with:

  • Your API application.
  • The user you are acting on behalf of (for merchants, this is yourself).
  • The permissions your app has for that user.

If you include an access_token in an API call, we automatically know the API application and the WePay user for whom the call is being made.

The access token should be passed in the ‘Authorization’ HTTP request header. It should look like this:

Authorization: Bearer <access-token>

(Just make sure to replace <access-token> with the appropriate access_token.)

Access Token Security

Access tokens are private, so they should never be shared or passed as a GET or POST argument. You should never email your access token to WePay or to a third-party.

Getting an access_token

If you are a merchant who only accepts payments from your customers, you can find your access_token on the “API Keys” tab of your app dashboard.

If you’re a platform that facilitates payments for your users, you have to use a different access_token for each user. You can get an access_token for a user via the OAuth2 flow.

If you want to make a call for user #1 you need to use the access_token you have for user #1, and if you want to make a call for user #2, you should use the access token you have for user #2.

Revoked access_token

A revoked access token means your app can no longer make API calls on behalf of a particular user. Access_tokens can only be revoked if your app requests a new access_token via the /oauth2/token call. Each time you make the /oauth2/token, we revoke all access_tokens for that user that were previously issued to your app. You should only make the /oauth2/token call if the current access_token does not work.