Authentication
Authentication & Authorization
Zip NZ uses OAuth 2.0 as a standardised means of securing API endpoints.
Flows
There is one OAuth flow currently supported:
- Client Credentials
Flow which is used for the basis of server-to-server communication across the Online API & Instore API
Endpoints
There are 2 supported endpoints, which are reflective of either a sandbox or production environment
| ENVIRONMENT | TOKEN ENDPOINT | API IDENTIFIER (AUDIENCE) | API ENDPOINT |
|---|---|---|---|
| Production | https://merchant-auth-nz.zip.co/oauth/token | https://auth.partpay.co.nz | https://zip.co/nz/api |
| Sandbox | https://merchant-auth-nz.sandbox.zip.co/oauth/token | https://auth-dev.partpay.co.nz | https://sandbox.zip.co/nz/api |
Client Credentials
This flow is used for server-to-server communication, and is relevant in our Online API and our Instore API.
To obtain a token, make a request to the token endpoint, with a number of properties you'll be given when starting your integration with Zip NZ
Example
To obtain an access token:
POST https://https://merchant-auth-nz.zip.co/oauth/token
Content-Type: application/json
{
"client_id":"[client id]",
"client_secret":"[client secret]",
"audience":"https://auth.partpay.co.nz",
"grant_type":"client_credentials"
}
Will return a response ie:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciO.....",
"expires_in": 86400,
"scope": "merchant",
"token_type": "Bearer"
}
Scopes
Scopes are not requested as part of this flow, instead they will be added to the returned access_token where the client access allows
Token Expiry
The expiry for the access_token will be defined in the response. Typically this will be 24 hours (86400 seconds) however the value in access_token should be respected as it’s subject to change
Updated 7 months ago