This section explains how to authenticate to the API.

The GPS Cards API uses OAuth 2 for authentication between > and Clients. This means that to perform an action on the Cards API, you need to supply a valid OAuth Token in the header of each API request. For more information about the headers in the > Cards API, see Headers.

> uses the Client Credentials OAuth flow to generate a valid OAuth token. For more information about granting OAuth Client Credentials, see the website.

The following OAuth terms are used in this section:

  • User — this is the resource owner (in this case >) who authorise an application to access their account. Access is limited to the scope of the authorisation granted.
  • Client — this is the application requesting access to the user’s account. The application must be authorised by the user, and the authorisation must be validated by the API.
  • Resource/Authorisation Server — this is the API. The Resource server hosts the user’s accounts. The Authorisation server verifies the identity of the users and grants access tokens to the application.

Generating an OAuth Token and Accessing the > API

To interface and authenticate with the > Cards API, both a ClientId and ClientSecret are required.
To obtain these, you must register with >. Please contact your > Implementation Manager.
When registered, you will receive your Program Manager ID and user credentials.

Next, you use these credentials to generate an access token using our Retrieve access token endpoint.

After receiving a valid OAuth2 token, use this in the Authorisation header on all subsequent API requests.


API Explorer

See the Retrieve access token endpoint.


Expired Tokens

The Client Credentials flow does not allow a user to refresh an OAuth Token. If your token expires, you will need to generate a new OAuth Token.