Authentication

Payr uses token-based authentication for all API requests. There are two types of tokens:

Server Token (Server-to-Server)

Used for /onboarding/, /user-login/, and /rotate-token/. This is the long-lived API token provided by Payr or obtained via token rotation.

Authorization: Token your_server_api_token

User Session Token (Iframe / Session Inquiry)

Used for session queries. This is the short-lived token returned by /user-login/, intended for the iframe and session queries.

Authorization: Token user_session_token_from_login

Contact [email protected] to receive your initial server API credentials.

Important: Keep your server API token secure. Never expose it in client-side code or public repositories. The user session token is safe to pass to the client iframe.

Token Rotation

For security, tokens should be rotated periodically using the /rotate-token/ endpoint. When you rotate a token:

• A new token is generated and returned

• The old token remains valid for a grace period of 7-15 days

• This allows you to update your systems without downtime

curl -X POST https://api.mypayr.co.uk/thirdparty/rotate-token/ \
  -H "Authorization: Token 8f4e2b1a9c7d6e5f3b2a1c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8" \
  -H "Content-Type: application/json"

{
  "token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2",
  "old_token_expiry": "2024-01-22T14:30:00Z"
}