Authentication
Authentication
General Information
Token Requirements
- Obtain a new token before making API requests via the
/tokenendpoint. - Tokens expire after the time specified in the
expires_infield (in seconds). - Use the token in the
Authorizationheader:Authorization: <access_token>.
Security Headers
All requests require the following headers:
- apikey: Your API key (provided by Fiserv).
- x-timestamp: Current request timestamp (prevents replay attacks).
- x-request-id: Unique UUID for the request (enables idempotency and tracing).
- x-hmac-signature: HMAC-SHA256 signature of
APIKEY + TIMESTAMP + REQUEST_BODY + URL_PATH(Base64-encoded).
POST /token
Authentication Token generation endpoint, which is required for all calls.
Obtain the authentication token using a client_secret and client_id, send it via application/x-www-form-urlencoded, and use the Bearer token in subsequent requests.
Request Fields
| Name | Located in | Description | Mandatory | Type |
|---|---|---|---|---|
| apikey | header | API Key | yes | string |
| x-timestamp | header | Date/time of the request (used to prevent replay attacks) | yes | string |
| x-request-id | header | Random ID used to identify the request | yes | string |
| x-hmac-signature | header | HMAC signature generated by combining the request parameters: Example: HMAC-SHA256( apikey + x-timestamp + requestBody + URL) | yes | string |
Request Example
Content-Type: application/x-www-form-urlencoded
| Field | Value |
|---|---|
| client_id | user1234 |
| client_secret | userPassword@123 |
Response Fields
| Field | Type | Description |
|---|---|---|
| access_token | string | JWT token for authentication |
| expires_in | integer | Token expiration time in seconds |
Response Example
{
"access_token": "your-access-token",
"expires_in": 300
}
Additional Information
HMAC
The HMAC must be generated using the SHA-256 algorithm and the private key provided by Fiserv, using the following concatenated fields:
APIKEY + TIMESTAMP + REQUEST_BODY + URL_PATH