Skip to main content
POST
/
api
/
v1
/
kyc
/
auth
/
get-auth-token
Exchange HMAC-signed credentials for a Bearer access token.
curl --request POST \
  --url https://sandbox.singapay.id/api/v1/kyc/auth/get-auth-token \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_id": "kc_live_a3f2c4",
  "timestamp": "2026-05-26T07:30:00Z",
  "signature": "9d4e7a8b1f3c2e5d6a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f"
}
'
{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImsxIn0.eyJpc3MiOiJraWMtdmVyaWZ5IiwiYXVkIjoia3ljLWFwaSIsImV4cCI6MTcyNDgyMTYwMH0...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "audience": "kyc-api"
}

Body

application/json
client_id
string
required

Public credential identifier issued from the merchant dashboard.

Example:

"kc_live_a3f2c4"

timestamp
string<date-time>
required

RFC 3339 timestamp; ±5 minutes from server time.

Example:

"2026-05-26T07:30:00Z"

signature
string
required

Hex-encoded HMAC-SHA256 of {client_id}:{timestamp} keyed with the credential's client_secret.

Pattern: ^[0-9a-fA-F]{64}$
Example:

"9d4e7a8b1f3c2e5d6a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f"

Response

Access token issued.

access_token
string
required

RS256-signed JWT; opaque from the merchant's view.

token_type
enum<string>
required
Available options:
Bearer
expires_in
integer
required

Seconds until the token expires (default 3600).

Required range: x >= 1
Example:

3600

audience
enum<string>
required

JWT audience claim. The gateway accepts only kyc-api for the programmatic surface.

Available options:
kyc-api