Skip to main content

Overview

All API requests must be authenticated using a bearer token (JWT).
  • Protocol: HTTPS
  • Authentication: Bearer token
  • Header: Authorization

Base URL

Use the appropriate <BASE_URL> for your environment:
  • Test environment: https://apigwuat.corpay.com
  • Production environment: https://apigw.corpay.com

Getting Access Token

To access the API, you must first obtain an access token. This requires a client_id and client_secret, which Corpay provides after onboarding is complete. Endpoint: POST <BASE_URL>/keycloak/realms/longship/protocol/openid-connect/token

Request

# Replace <BASE_URL> with the appropriate host for your environment

curl "<BASE_URL>/keycloak/realms/longship/protocol/openid-connect/token" \
  --header 'accept: application/json' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=your_client_id' \
  --data-urlencode 'client_secret=your_client_secret'

Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia----",
  "expires_in": 36000,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "profile email"
}

Using the Access Token

Include the token in every request header:
Authorization: Bearer <access_token>
  • In test environment, tokens may have a longer lifetime, for example 36000 seconds.
  • In production, tokens typically expire after 3600 seconds, or one hour.