access_token is a unique string of letters and numbers that you pass with every API call, so WePay knows you are authorized to make that call.
access_token is associated with:
- Your API application.
- The user you are acting on behalf of (for merchants, this is yourself).
- The permissions your app has for that user.
If you include an
access_token in an API call, we automatically know the API application and the WePay user for whom the call is being made.
The access token should be passed in the ‘Authorization’ HTTP request header. It should look like this:
Authorization: Bearer <access-token>
(Just make sure to replace
<access-token> with the appropriate
Access Token Security
Access tokens are private, so they should never be shared or passed as a GET or POST argument. You should never email your access token to WePay or to a third-party.
Getting an access_token
If you are a merchant who only accepts payments from your customers, you can find your
access_token on the “API Keys” tab of your app dashboard.
If you’re a platform that facilitates payments for your users, you have to use a different
access_token for each user. You can get an
access_token for a user via the OAuth2 flow.
If you want to make a call for user #1 you need to use the
access_token you have for user #1, and if you want to make a call for user #2, you should use the access token you have for user #2.
A revoked access token means your app can no longer make API calls on behalf of a particular user.
Access_tokens can be revoked two ways:
- The user goes to their user settings on WePay and manually revokes the
- Your app requests a new
access_tokenvia the /oauth2/token call. Each time you make the /oauth2/token, we revoke all
access_tokensfor that user that were previously issued to your app. You should only make the /oauth2/token call if the current
access_tokendoes not work.