For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
HomeGuidesAPI Reference
HomeGuidesAPI Reference
  • Online API
    • API Environments
    • Direct Payment Flow
    • REST
    • HTTPS
    • Dates
    • Pagination
    • Authentication
    • Idempotent Requests
    • Timeouts
    • API Simulator
  • Models
    • Introduction
    • Contact Object
    • Consumer Object
    • Discount Object
    • Item Object
    • Money Object
    • Order Details Object
    • Payment Object
    • Refund Object
    • Shipping Courier Object
  • Service Status
    • GETPing
  • Configuration
    • GETGet Configuration
  • Orders
    • Introduction
    • GETGet Order
    • POSTCreate Order
  • Javascript afterpay.js
    • Information
    • Redirect Method
  • Payments
    • Introduction
    • POSTCapture Payment
    • PUTUpdate Shipping Courier
    • GETGet Payment By Order ID
    • GETGet Payment By Token
    • GETList Payment(s)
    • POSTCreate Refund
    • PUTUpdate Payment by Order ID
    • POSTReverse Payment By Token
  • Errors
    • Introduction
    • Get Errors
    • Put/Post Errors
  • Reference
LogoLogo
On this page
  • Example Request
Online API

Authentication

Was this page helpful?
Previous

Idempotent Requests

Next
Built with

Example Request

HTTP
1GET /v1/configuration HTTP/1.1
2Host: global-api-sandbox.afterpay.com
3Authorization: Basic MzI6YWJjZGVmZ2g=
1curl "https://global-api-sandbox.afterpay.com/v1/configuration" \
2  -H 'Authorization: Basic MzI6YWJjZGVmZ2g='
1var request = require("request");
2
3var options = {
4  url: 'https://global-api-sandbox.afterpay.com/v1/configuration',
5  headers: {
6    Authorization: 'Basic MzI6YWJjZGVmZ2g='
7  }
8};
9
10request(options, function (error, response, body) {
11  if (error) throw new Error(error);
12
13  console.log(body);
14});
1require 'uri'
2require 'net/http'
3
4url = URI("https://global-api-sandbox.afterpay.com/v1/configuration")
5
6http = Net::HTTP.new(url.host, url.port)
7http.use_ssl = true
8
9request = Net::HTTP::Get.new(url)
10request["Authorization"] = 'Basic MzI6YWJjZGVmZ2g='
11
12response = http.request(request)
13puts response.read_body
1import requests
2
3url = "https://global-api-sandbox.afterpay.com/v1/configuration"
4
5headers = {
6    'Authorization': "Basic MzI6YWJjZGVmZ2g="
7}
8
9response = requests.request("GET", url, headers=headers)
10
11print(response.text)

The Afterpay Online API uses Basic HTTP Authentication, a simple authentication scheme built into the HTTP protocol, as specified by RFC 7617.

With the exception of Ping, all Online API endpoints require this form of authentication. Failure to correctly authenticate an API request will result in a “401 Unauthorized” response.

Consider the following example:

Merchant IDSecret Key
32abcdefgh

In conventional HTTP terms, “Merchant ID” is the username and “Secret Key” is the password.

Afterpay provides merchant accounts per region, and each merchant account has unique API credentials.

The credentials are joined by a colon character (without any spaces), then base64-encoded.

Plain TextBase64 Encoded
32:abcdefghMzI6YWJjZGVmZ2g=

The Authorization header can then be formed by including the word Basic, followed by a single space character, followed by the base64-encoded credential pair.

Final HeaderAuthorization: Basic MzI6YWJjZGVmZ2g=
Security Notice

Please note that the base64-encoding of the Authorization header is unrelated to security. All HTTP headers and bodies (for both requests and responses) between the Merchant and Afterpay are encrypted with TLS. The reason for base64-encoding is solely to comply with the RFC 7617 standard, which allows non-HTTP characters and multibyte strings to be used for Basic HTTP Authentication.