Authentication and headers

To get an access token, you must create a Jamatu app. When you create an app, Jamatu generates a set of OAuth client_id and secret keys for your app for both the sandbox and live environments. Then, to get an access token, you pass the client_id:secret credentials as an url parameter to get access token request. The authorization server issues an access token in exchange for your client ID and secret credentials. You use the access token for authentication when you make REST API requests.

For more information, see make your first call. If you are a non-US developer, see International Developer Questions. You can use your sandbox access token to try any of the code in the REST API reference.

Request header
Descripton
Authorization
When you request an access token, send the value as the HTTP basic authentication credentials by using your client_id and secret. If you use cURL, specify -u "client_id:secret". When you call APIs, send the value as the OAuth 2.0 access token with the authentication type set as Bearer. For example: Authorization: Bearer Access-Token. Required.
Accept
Set to application/json. Required.
Jamatu-Request-Id
Contains a unique ID that you generate that can be used for enforcing idempotency. Note: Omitting this header increases the risk of duplicate transactions.
Jamatu-Client-Metadata-Id
Jamatu uses this client metadata ID to verify that the request is originating from a valid, user-consented device+application. This helps reduce fraud and decrease declines. requests that do not include a client metadata ID are not eligible for Jamatu Protection. To initiate a pre-consented request from a mobile device.

Authentication and headers

Use the OAuth request to get an access token for use with your payments calls.

For authentication and authorization related to Identity, learn how to obtain a user’s consent.

Requests

Include the client_id:secret as your basic auth credentials.

Property
Type
Description
grant_type
string
Token grant type. Must be set to client_credentials. Required.
content-type
string
Set to application/x-www-form-urlencoded for access token requests. By default, cURL sets this value so it is not shown in the request sample. However, you might need to explicitly set this value for non-cURL implementations.

Request sample

   curl https://api.jamatu.com/oauth2/token \
  -H "Accept: application/json" \
  -H "Accept-Language: en_US" \
  -u "client_id:secret" \
  -d "grant_type=client_credentials"
    

Response

Property
Type
Description
scope
string
Scopes expressed in the form of resource URL endpoints. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. Value assigned by Jamatu.
access_token
string
The access token issued by Jamatu. After the access token expires (see expires_in), you must request a new access token. Value assigned by Jamatu.
token_type
string
The type of the token issued as described in OAuth2.0 RFC6749, Section 7.1. Value is case insensitive. Value assigned by Jamatu.
expires_in
integer
The lifetime of the access token, in seconds. Value assigned by Jamatu.

Response sample

    {
      "scope": "https://api.Jamatu.com/v1/payments/
      "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6Khbw7raYRIBV_WxVvgmsG",
      "token_type": "Bearer",
      "app_id": "APP-6XR95014BA15863X",
      "expires_in": 28800
    }

Authorization endpoint:

Live

    https://www.jamatu.com/authorize

Sandbox

    https://www.test.jamatu.com/authorize

Use the following URL with browser redirect (HTTP 302) to invoke the login flow from the application to Log In with Jamatu:

Property
Type
Description
client_id
string
Unique client ID obtained through the application registration process. Required.
response_type
string
code.Requests that an authorization code be sent to the application return URL. Recommended, as access tokens are not visible in the user-agent.
token Returns a token. Typically used mostly by public clients, such as JavaScript or mobile applications.
scope
string
URL-encoded, space-separated list of requested scope URIs. For example (URL-encoded): “profile+email+address”. For a list of possible values, see Log In with Jamatu User Attributes.
redirect_uri
string
Application return URL where the authorization code is sent. The specified redirect_uri must match the return URL registered for your app on the My Apps & Credentials page of the Jamatu Developer site. All parts of the specified redirect_uri, including protocol, host, port, context path, and query parameter names and values must match with the exception of the state parameter. You can use the state parameter to pass information that was not known at the time the return URL for your app was registered. You must URL-encode and Base64-encoded the state parameter value.