Authentication & Authorization

Zip NZ uses OAuth 2.0 as a standardised means of securing API endpoints.

Flows

There is one OAuth flow currently supported:

Client Credentials

Flow which is used for the basis of server-to-server communication across the in-store API

Endpoints

There are 2 supported endpoints, which are reflective of either a sandbox or production environment

ENVIRONMENT	TOKEN ENDPOINT	API IDENTIFIER (AUDIENCE)	API ENDPOINT
Production	https://merchant-auth-nz.zip.co/oauth/token	https://auth.partpay.co.nz	https://zip.co/nz/api
Sandbox	https://merchant-auth-nz.sandbox.zip.co/oauth/token	https://auth-dev.partpay.co.nz	https://sandbox.zip.co/nz/api

Client Credentials

This flow is used for server-to-server communication, and is relevant in our in-store API.

To obtain a token, make a request to the token endpoint, with a number of properties you'll be given when starting your integration with Zip NZ

Example

To obtain an access token:

POST https://https://merchant-auth-nz.zip.co/oauth/token

Content-Type: application/json
{
  "client_id":"[client id]",
  "client_secret":"[client secret]", 
  "audience":"https://auth.partpay.co.nz",
  "grant_type":"client_credentials"
}

Will return a response ie:

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciO.....",
    "expires_in": 86400,
    "scope": "merchant",
    "token_type": "Bearer"
}

Scopes

Scopes are not requested as part of this flow, instead they will be added to the returned access_token where the client access allows

Token Expiry

The expiry for the access_token will be defined in the response. Typically this will be 24 hours (86400 seconds) however the value in access_token should be respected as it’s subject to change