Use this flow when OAuth is enabled for your merchant and you want to authenticate merchant API requests with an OAuth 2.0 Client Credentials bearer token instead of HTTP Basic Auth.
This guide covers only the token exchange flow. For Direct API setup, enabling OAuth, and managing access keys in Merchant Dashboard, see Direct API Access and Authentication.
In Merchant Dashboard, navigate to Settings > Integrations > Direct API.
Make sure:
- OAuth is enabled
- you have a valid access key
- you have copied the access key's
client_idandclient_secret
Send a POST request to /access-keys/token with the access key credentials in the request body.
This token-minting request does not use an Authorization header. The client_id and client_secret in the request body are the credentials used to authenticate the request.
curl https://app.resolvepay.com/api/access-keys/token \
-H "Content-Type: application/json" \
-d '{
"client_id": "<client_id>",
"client_secret": "<client_secret>"
}'Example response:
{
"access_token": "eyJ...",
"token_type": "Bearer",
"expires_in": 86400,
"scope": "merchant:read merchant:write"
}Include the returned token in the Authorization header when calling the merchant API:
curl https://app.resolvepay.com/api/customers \
-H "Authorization: Bearer <access_token>"- Expired access keys cannot mint tokens.
- Revoked access keys cannot mint tokens.
- If OAuth is disabled in Merchant Dashboard, bearer-token requests will not be authorized for merchant API calls.
See the merchant API reference for the token endpoint:
POST /access-keys/token