Authentication
SAAS Login API
Endpoint: POST {baseUrl}/as/api/v1/saas-login
Payload:
| Attribute | Description |
|---|---|
| clientId | You can get this from Dashboard > API Keys > Apps > Client ID |
| clientSecret | You can get this from Dashboard > API Keys > Apps > Client Secret |
{
"clientId": "<your_client_id>",
"clientSecret": "<your_client_secret>"
}Response:
| Attribute | Description |
|---|---|
| accessToken | Use this token in headers to access Authenticated APIs |
| accessTokenExpiry | Expiry time of Access Token is usually short lived. Before calling an Authenticated API ensure your Access Token is not expired. If expired, call Refresh Token API to get a new Access Token. |
| refreshToken | Use this token in Refresh Token API to get a new Access Token when expired. |
| refreshTokenExpiry | This token is usually long-lived. If Refresh Token is expired then you need to call this same login API. |
200 — SUCCESS Response
{
"accessToken": "...",
"accessTokenExpiry": "2024-09-23T18:33:10.049+00:00",
"refreshToken": "...",
"refreshTokenExpiry": "2024-09-28T08:33:10.047+00:00"
}Refresh Token API
Endpoint: POST {baseUrl}/as/api/v1/saas-refresh-token
Payload:
| Attribute | Description |
|---|---|
| refreshToken | The Refresh Token you have received from saas-login API response |
{
"refreshToken": "..."
}Response:
| Attribute | Description |
|---|---|
| accessToken | The new access token used for further API access. |
| accessTokenExpiry | The expiry time of the new access token. |
200 — SUCCESS Response
{
"data": {
"accessToken": "...",
"accessTokenExpiry": "..."
}
}Frequently Asked Questions (FAQ)
What is the difference between Access Token and Refresh Token?
Access Token
- It’s like a temporary pass that lets you use an app’s features or access APIs.
- It’s short-lived (e.g., expires in 5–60 minutes).
- Every time you make a request to the server, you send this token to prove you’re allowed to do so.
Example: When you log in to a service, it gives you an access token so you can use it without typing your password again for a while.
Refresh Token
- It’s like a long-term key that can get you a new access token when the old one expires.
- You don’t send it with every request. You keep it safe and only use it to refresh your session.
- It lives much longer (hours, days, or weeks).
Example: When your short pass (access token) expires, you use your longer key (refresh token) to get a new short pass without logging in again.
Recommended Practice
- A valid
accessTokenis required to call any VaultsPay authenticated API. - Before making an API request, always verify whether your
accessTokenis null or expired.- If it is expired, then check the status of your
refreshToken. - If the
refreshTokenis still valid, use the Refresh Token API to obtain a newaccessToken.
- If it is expired, then check the status of your
- And when your
refreshTokenhas expired (since it has a longer lifespan), call the SaaS Login API to generate a newrefreshTokenand continue the cycle.