OAuth2 Account Creation

OAuth2 Introduction

OAuth2 is a process by which you can get a merchant’s permission to do things on their behalf, like process payments for them, view their account balance, refund payments, etc. The end result of OAuth2 is getting an access_token, which is a secret parameter that lets you act on a specific merchant’s behalf.

Using OAuth2, your platform can easily setup a payment account for your users and get them processing payments quickly with only four fields to fill out - with very little interruption of the user experience and light WePay branding.

If you want to be able to process payments for a merchant, getting an access_token is always the first step.


A crowdfunding site wants to enable its fundraiser to collect donations. The crowdfunding site first needs to be able to create a WePay payment account for each fundraiser. This allows the fundraiser to charge credit cards and have the money collected sent to their WePay account, where they will view account balances, refund payments, withdraw money, etc. To do this easily, the crowdfunding site uses OAuth2 to get permission from the fundraiser to do all of this automatically.

At WePay, fundraisers are the merchants and donors are the payers and we’ll use those terms below.

Live Example

This is what the user experience for OAuth2 looks like. Click here to create your WePay account.


There are 4 steps to OAuth2:

  1. The merchant clicks on the OAuth2 button on your site and confirms with WePay that they want to grant you permission to process payments for them.
  2. The merchant confirms and you receive a temporary code parameter.
  3. You exchange the temporary code parameter with WePay for a permanent access_token that will let you do things on the merchant’s behalf.
  4. Make the /account/create call with the access_token from step 3 to get an account_id.

Step 1

The first step is to put the OAuth2 button embed code on your site. Below, is an example of the embed code. Make sure you replace the client_id with your own app’s client_id!

  • java

The user will click on the button and be presented with a co-branded popup where they confirm that they want to give you permission to process payments on their behalf. To do so they will either login (if they already have a WePay account), or register (if they do not have a WePay account already).


As a Best Practice, we recommend asking for all necessary Scope up-front. See our best practices for more information.

Step 2

After the user clicks “Grant Access” in the OAuth2 popup above, it will call whatever callback function you specified. The 1st parameter passed to the callback function will be a data JSON object which has a code property. You should pass this code parameter to your server where it will be used in step 3 to get an access_token.

Step 3

Now that you have passed the temporary code parameter to your server, you can use it to get a permanent access_token.

To do so, you will make the /oauth2/token API call. You will pass your client_id, client_secret, the temporary code parameter, and whatever redirect_uri you specified in step 1.

The response to this call will include an access_token. This access_token is a permanent parameter that will let you make API calls on behalf of the merchant. You should store this access_token in your database, and take steps to keep it secure (treat it like you would a hashed password).

  • PHP
  • cURL
  • Ruby
  • Python

Step 4

Each merchant requires a payment account in order to start processing payments. A payment account has its own transaction history and account balance. Once you have an access_token for each merchant, you’ll want to create a payment account for each merchant.

All you need to do is make the /account/create call with the merchant’s access_token. The account name that you specify will be used on receipts and on the credit card statement for payments made to this account.

You will receive back an account_id which you should store in your database. You will use the merchant’s account_id and access_token when making payments with the /checkout/create call (for example). You can also use the account_id to look up the account balance and status.

  • PHP
  • cURL
  • Ruby
  • Python


As a Best Practice, we recommend using a recognizable account name during account creation, as this is what appears in a payer’s credit card statement. As such, a unrecognizable account name could lead to returned funds. Read more here

Next Steps

Now that you have an account_id and an access_token, you can help the merchant accept payments. Read the process payments overview for information on how to do that.