Skip to main content
DocsAPI StandardsAPI Keys

API Keys

Overview

PayNet's API Gateway utilises OAuth 2.0 and requires an access token to be passed in each request for authentication. Before your application can generate an access token and make requests to PayNet APIs, you will need to generate API keys for your application.

info

We are in the midst of updating all our APIs to support OAuth2.0. Please refer to the respective API product reference to find out which authentication method is being supported currently.

Generating your API Keys

To generate your application's API keys, you will need to register your application in the PayNet Developer Portal. Once registered, you will be provided a Client ID and Client Secret key pair for your application to be used in the Development environment.

FieldDescription
Client IDSimilar to how a username identifies a user, the Client ID identifies the application that is making the API call.
Client SecretSimilar to how a password proves a user is who they say are, the Client Secret is used to validate the identity of the application that is making the API call.
info

API Keys for Production environment are generated immediately, but will still need to be approved for access before your application can go live. Once your Production access request has been reviewed, you will be notified on whether access has been approved or denied.

Managing your API Keys

In the Developer Portal there are 3 possible actions for managing your API keys:

  1. Create an API Key
  2. Renew an API Key
  3. Revoke an API Key

Create an API Key

Step 1: Click Create API Key.

Screenshot of API Keys in Developer Portal Dashboard

Step 2: Click Confirm.

Screenshot Confirm Create API Key

Step 3: The newly created API key pair will be listed.

Screenshot Newly Created API Key

Renew an API Key

Step 1: Click the three dots ... next to the key you want to renew and click Renew.

Screenshot API Keys Actions

Step 2: Click Confirm.

Screenshot Confirm Renew API Key

Revoke an API Key

Step 1: Click the three dots ... next to the key you want to renew and click Revoke.

Screenshot API Keys Actions

Step 2: Click Confirm.

Screenshot Confirm Renew API Key

Using the API Keys

The assigned Client ID and Client Secret keys are to be passed to the OAuth 2.0 API endpoint to generate an access token. On successful request, an access token will be returned which can subsequently be used to make requests to PayNet's APIs. The access token should be re-generated by the application once expired.

How It Works

Once you have received the Client ID and Client Secret from Developer Portal, you may trigger API calls to our OAuth 2.0 resource server for token issuance. A Bearer token will be created and you embed that token inside the Authorization header for subsequent API calls.

  1. Generate client_id and client_secret from Developer Portal.

  2. Call Authentication API to generate access token.

Sample Request:

curl --location --request POST 'https://sandbox.api.paynet.my/auth/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>' \
--data-urlencode 'grant_type=client_credentials'

Sample Response:

{
    "access_token": "eyJraWQiOiJmMGFlYjYyYzZhM2M0MmQ4YjA0N2Y4MmQ2NmY5NTA2OCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI2MzYzNjhmZTVkOGM0MzM2YjE1NjU4ZDRkYmU0NGM2NyIsIm5iZiI6MTY0OTY0MDk5NSwic2NvcGUiOiJycHA6bWVyY2hhbnQiLCJpc3MiOiJodHRwcz1cL1wvYXBpLnVhdC5pbmV0LnBheW5ldC5teVwvYXV0aCIsImV4cCI6MTY0OTcyNzM5NSwiaWF0IjoxNjQ5NjQwOTk1LCJqdGkiOiJjZWY4NDgyZjZlZWE0Y2YzOGE0ODMxNTcxZDgwMTQ4NyJ9.cCaJWBnajAmgRP7Lmkp5RwGYucRwuwLiqKLGwTcUSWSPx91RHATiAncK5Tcflk6ay7-wWZmiQLQ4LgE2xPbp3feliCP4NmMMPr4FK95sIgPrEZpCr-2qqStBrN4DNaYWWLtlXnuCg31aD1934Zjq-T_khGuMPrY_8_x50BsRez-_x0bbURvXCLe8LzCdhHTUS8CvKh4k_A6jqnoPbgnZSWAnSzhi92lGzI6SKhnA7O1CfOzI1VS_ASw21edhuqZ8_tdm5cBCsIq4LAg1xENWZiJsef-Y5We3T-RRQGZCbIAeEIDSpp7awOXHRbLMWRbjmvstcbn2R9KoFBOh53yUGg",
    "token_type": "bearer",
    "scope": "rpp:merchant",
    "expires_in": 86400
}
  1. Append access_token from response field into Authorization field of API request.
curl --location -g --request PUT 'https://api_domain' \
--header 'Authorization: Bearer eyJraWQiOiJmMGFlYjYyYzZhM2M0MmQ4YjA0N2Y4MmQ2NmY5NTA2OCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI2MzYzNjhmZTVkOGM0MzM2YjE1NjU4ZDRkYmU0NGM2NyIsIm5iZiI6MTY0OTY0MDk5NSwic2NvcGUiOiJycHA6bWVyY2hhbnQiLCJpc3MiOiJodHRwcz1cL1wvYXBpLnVhdC5pbmV0LnBheW5ldC5teVwvYXV0aCIsImV4cCI6MTY0OTcyNzM5NSwiaWF0IjoxNjQ5NjQwOTk1LCJqdGkiOiJjZWY4NDgyZjZlZWE0Y2YzOGE0ODMxNTcxZDgwMTQ4NyJ9.cCaJWBnajAmgRP7Lmkp5RwGYucRwuwLiqKLGwTcUSWSPx91RHATiAncK5Tcflk6ay7-wWZmiQLQ4LgE2xPbp3feliCP4NmMMPr4FK95sIgPrEZpCr-2qqStBrN4DNaYWWLtlXnuCg31aD1934Zjq-T_khGuMPrY_8_x50BsRez-_x0bbURvXCLe8LzCdhHTUS8CvKh4k_A6jqnoPbgnZSWAnSzhi92lGzI6SKhnA7O1CfOzI1VS_ASw21edhuqZ8_tdm5cBCsIq4LAg1xENWZiJsef-Y5We3T-RRQGZCbIAeEIDSpp7awOXHRbLMWRbjmvstcbn2R9KoFBOh53yUGg' \
--data-raw '{
    <Sample Body>
}'