Every payout request is authorized with a short-lived access token, obtained by exchanging a credential pair. Credentials are provisioned per client and can be rotated at any time.
Provision a credential set in the dashboard to receive a clientId (the public identifier) and a clientSecret (shown once). Rotating the secret issues a new value while keeping the same clientId.
Every auth response uses the same wrapper — status, statusCode, errorMessage, sessionId — with the endpoint-specific result in data.
Exchange the pair at POST /auth/obtain/token. Send the returned token as Authorization: Bearer <accessToken> on every request. Example shown in the panel.
Tokens are short-lived (expiresIn seconds). Cache and reuse the token; refresh only when it nears expiry rather than minting one per request.
Outbound webhooks are signed with HMAC-SHA256 using your endpoint secret. Verify the signature header before trusting a payload. See the event object →