Authentication
The UPG API allows several ways of granting access to protected resources. The easiest method for most integrations will be using API Keys. If using API Keys are not an option, the API also allows the usage of OAuth 2.0 token-based access. Two flows are supported: getting a token using client credentials for direct access tokens or using refresh tokens to allow partners access to resources.
Choosing the Right Flow
| Scenario | Applicable Flow |
|---|---|
| Backend service accessing your own data | API Keys |
| Backend service accessing your own data requiring more fine-grained control | Client Credentials |
| Partner app accessing data on behalf of a merchant | Refresh Token |
Key Concepts
| Concept | Description |
|---|---|
| Client | The service requesting access to protected resources |
| Application | An application with access to one or multiple scopes |
| Installation | An installation of an application granting access to one or multiple scopes |
| Client Credentials | A Client Id and Client Secret pair belonging to an application |
| Access Token | A JWT (JSON Web Token) credential used to access protected resources |
| Refresh Token | A JWT (JSON Web Token) long-lived credential used to obtain new access tokens |
| Scope | A permission that defines what resources the token can access |
| API Key | A long-lived credential to access resources without using access tokens |
Updated 10 days ago