Exchange HMAC-signed credentials for a Bearer access token.
Computes server-side: HMAC-SHA256 of {client_id}:{timestamp}
keyed by the credential’s client_secret, compared in constant
time against the supplied signature. On match, mints an
RS256-signed JWT scoped to the credential’s allowed_scopes.
The timestamp must be within ±5 minutes of server time;
outside that window the request is rejected to limit replay.
Body
Public credential identifier issued from the merchant dashboard.
"kc_live_a3f2c4"
RFC 3339 timestamp; ±5 minutes from server time.
"2026-05-26T07:30:00Z"
Hex-encoded HMAC-SHA256 of {client_id}:{timestamp} keyed
with the credential's client_secret.
^[0-9a-fA-F]{64}$"9d4e7a8b1f3c2e5d6a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f"
Response
Access token issued.
RS256-signed JWT; opaque from the merchant's view.
Bearer Seconds until the token expires (default 3600).
x >= 13600
JWT audience claim. The gateway accepts only kyc-api for the
programmatic surface.
kyc-api 