Access Token v1.1
Exchanges merchant credentials for a JWT access token using the OAuth 2.0 client credentials grant. Authenticates with an HMAC-SHA512 signature (X-Signature) instead of a client secret. Use the returned access_token as the Authorization: Bearer <token> header on subsequent secured requests.
Authorizations
Merchant API key (Credential.api_key). Required on every request.
Headers
Merchant API key that identifies the partner. Used together with X-CLIENT-ID to resolve the merchant credentials.
"a1b2c3d4-5678-90ab-cdef-1234567890ab"
Merchant client identifier (client_id) issued to the merchant during onboarding.
"SGP-CLIENT-001"
Lowercase hexadecimal HMAC-SHA512 digest of {client_id}_{client_secret}_{YYYYMMDD} signed with the merchant client_secret. Valid only for the current server date (Ymd).
"c8f1d3e2a4b6...0f9e8d7c6b5a4938271605f4e3d2c1b0a9f8e7d6c5b4a3928170f6e5d4c3b2a1"
Body
Request body for the OAuth 2.0 client credentials grant. The only supported value for grant_type is client_credentials; any other value is rejected with HTTP 422.
The OAuth grant type. Must be the literal string client_credentials.
client_credentials "client_credentials"
Response
Authentication succeeded. The response data contains the issued JWT and its metadata (OAuthAccessTokenResponseData).
Standard success envelope returned by the security endpoints. Wraps the issued token payload in the Flugger responder format (status, success, data).
