> ## Documentation Index
> Fetch the complete documentation index at: https://docs.singapay.id/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate SingaPay Payment Gateway REST API requests using OAuth 2.0 client credentials, Bearer tokens, and required headers.

All REST API endpoints require authentication before you can call them. Webhook callbacks use a separate [HMAC signature scheme](/api-reference/webhooks/security-and-signature).

***

## Obtain an access token

Request a JWT access token using your **Client ID** and **Client Secret** from the merchant dashboard.

Request a token using **`POST /api/v1.1/access-token/b2b`**, listed under **Security** in the API reference sidebar (OpenAPI-generated endpoint page).

<Info>
  You can also use `POST /api/v1.0/access-token/b2b` on older integrations.
</Info>

### Token request headers

| Header          | Value                                                     |
| --------------- | --------------------------------------------------------- |
| `Authorization` | `Basic {base64(client_id:client_secret)}`                 |
| `X-PARTNER-ID`  | Your API key (Partner ID)                                 |
| `Content-Type`  | `application/x-www-form-urlencoded` or `application/json` |

### Token request body

| Field        | Value                |
| ------------ | -------------------- |
| `grant_type` | `client_credentials` |

The response includes a Bearer token and expiry time. Request a new token before the current one expires.

***

## Authenticated API requests

Include these headers on every REST API call after you obtain a token:

| Header          | Description                                                  |
| --------------- | ------------------------------------------------------------ |
| `Authorization` | `Bearer {access_token}`                                      |
| `X-PARTNER-ID`  | Your API key from the merchant dashboard                     |
| `Content-Type`  | `application/json` (unless the endpoint specifies otherwise) |

```http theme={null}
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
X-PARTNER-ID: b3ed7d4b-a96c-6c08-b3c7-12c3124242d9
Content-Type: application/json
```

***

## Signed requests (selected endpoints)

Some money-out operations require additional headers for request signing:

| Header        | Description                          |
| ------------- | ------------------------------------ |
| `X-Signature` | HMAC-SHA512 signature of the request |
| `X-Timestamp` | Unix timestamp in seconds            |

Endpoints that typically require signing include:

* Disbursement transfer (`POST /api/v2.0/disbursement/transfer`)
* QRIS issuer payment credit and related money-out flows
* E-Wallet trigger top-up (`POST /api/v2.0/ewallet/trigger-topup`)

Refer to the OpenAPI reference for each endpoint to confirm required headers. The signing algorithm follows the same `METHOD:ENDPOINT:ACCESS_TOKEN:HASHED_BODY:TIMESTAMP` pattern described in [Security and signature validation](/api-reference/webhooks/security-and-signature), applied to outbound API requests rather than inbound webhooks.

***

## IP whitelist

Merchant API routes may require your server IP to be registered on the merchant account before requests are accepted. Configure allowed IPs in the merchant dashboard before going to production.

<Warning>
  **IP Whitelist Required** — Ensure your server IP is registered for the merchant account before making API requests from production systems.
</Warning>

***

## Environments

| Environment | Base URL                                  |
| ----------- | ----------------------------------------- |
| Sandbox     | `https://sandbox-payment-b2b.singapay.id` |
| Production  | `https://payment-b2b.singapay.id`         |

Use Sandbox for development and testing. No real money moves in Sandbox.
