Authentication
Authentication
General Information
Token Requirements
- Obtain a new token before making API requests via the
/tokenendpoint. - Tokens expire after the time specified in the
expires_infield (in seconds). - Use the token in the
Authorizationheader:Authorization: <access_token>.
Security Headers
All requests require the following headers:
- apikey: Your API key (provided by Fiserv).
- x-timestamp: Current request timestamp (prevents replay attacks).
- x-request-id: Unique UUID for the request (enables idempotency and tracing).
- x-hmac-signature: HMAC-SHA256 signature of
APIKEY + TIMESTAMP + REQUEST_BODY + URL_PATH(Base64-encoded).
POST /token
Authentication Token generation endpoint, which is required for all calls.
Obtain the authentication token using a client_secret and client_id, send it via application/x-www-form-urlencoded, and use the Bearer token in subsequent requests.
Request Fields
| Name | Located in | Description | Mandatory | Type |
|---|---|---|---|---|
| apikey | header | API Key | yes | string |
| x-timestamp | header | Date/time of the request (used to prevent replay attacks) | yes | string |
| x-request-id | header | Random ID used to identify the request | yes | string |
| x-hmac-signature | header | HMAC signature generated by combining the request parameters: Example: HMAC-SHA256( apikey + x-timestamp + requestBody + URL) | yes | string |
Request Example
Content-Type: application/x-www-form-urlencoded
| Field | Value |
|---|---|
| client_id | user1234 |
| client_secret | userPassword@123 |
Response Fields
| Field | Type | Description |
|---|---|---|
| access_token | string | JWT token for authentication |
| expires_in | integer | Token expiration time in seconds |
Response Example
{
"access_token": "your-access-token",
"expires_in": 300
}
Additional Information
HMAC Calculation
The HMAC must be generated using the SHA-256 algorithm and the private key provided by Fiserv, using the following concatenated fields:
APIKEY + TIMESTAMP + REQUEST_BODY + URL_PATH
Below is an example of a postman script that generates the indicated headers according to the specification:
Postman Script Example
var CryptoJS = require("crypto-js");
function setHMACAuth(request) {
const currentDate = new Date();
var API_KEY = pm.collectionVariables.get('apikey');
var SECRET = pm.collectionVariables.get('secret');
var requestId = generateUUID();
const timestamp = currentDate.getTime().toString();
rawData=API_KEY+timestamp+request.body.toString()+'/'+pm.request.url.path.toString().replaceAll(',','/');;
var signedValue = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, SECRET).update(rawData).finalize();
hashedStringRequest = CryptoJS.enc.Base64.stringify(signedValue);
pm.request.headers.add({key:"x-timestamp",value:timestamp});
pm.request.headers.add({key:"x-hmac-signature",value:hashedStringRequest});
pm.request.headers.add({key:"x-request-id",value:requestId});
}
function generateUUID() {
return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
var r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8);
return v.toString(16);
});
}
setHMACAuth(pm.request);
Updated 16 days ago