Authorization Introduction
Scope
This document describes the authorization flow for merchants integrating with the Pexx service B2B APIs. It only covers authorization-related content and does not include detailed business API specifications.
Basic Integration Information
API Base URLs
| Environment | Base URL |
|---|---|
| Sandbox | http://qa.backend.pexx.com:8606 |
| Production | https://saas.backend.pexx.com |
Merchant Onboarding Materials
Before integration, key exchange and merchant configuration must be completed.
-
The merchant generates its own RSA key pair.
-
The merchant provides the RSA public key to the
Pexx servicefor storage. -
The RSA private key must be securely stored by the merchant. The
Pexx servicedoes not store the merchant's private key. -
After merchant configuration is completed, the
Pexx serviceprovides the following information:merchantCode: merchant identifierPexxApiKey: merchant API key
A 2048-bit RSA key is recommended.
Example: Generate RSA Key Pair
Use OpenSSL to generate the RSA key pair:
openssl genrsa -out merchant_private_key.pem 2048
openssl pkcs8 -topk8 -inform PEM -outform PEM -in merchant_private_key.pem -out merchant_private_key_pkcs8.pem -nocrypt
openssl rsa -in merchant_private_key.pem -pubout -out merchant_public_key.pemNotes:
merchant_private_key_pkcs8.pemis the recommended merchant private key filemerchant_public_key.pemis the merchant public key file to be provided to thePexx service- If the
Pexx servicerequires the public key in Base64 format, remove the PEM header, footer, and line breaks before submission
Glossary
| Term | Description |
|---|---|
merchantCode | The unique merchant identifier assigned by the Pexx service |
PexxApiKey | The API key assigned by the Pexx service and used to identify the merchant |
accessToken | The access token used for business API calls and passed in PexxAuthorization |
refreshToken | The token used to refresh access credentials |
secretKey | The signing key used to generate HMAC signatures for business API requests |
grantType | The credential application type; for the current integration, client_credentials is recommended |
businessId | Optional business user identifier; if omitted, the merchant's primary business user will be used by default |
X-TIMESTAMP | Unix timestamp in seconds; should use the current time when the request is sent |
X-NONCE | A unique random string for each request to prevent replay attacks; recommended maximum length is 32 characters, and a UUID without hyphens is recommended |
X-SIGNATURE | The request signature value, generated according to the signing rules in this document and then Base64-encoded |
path | The actual request path, for example /apis/v1/access-token |
Authorization Flow
1. Request Access Credentials
Call:
POST /apis/v1/access-token
Purpose:
- Request business access credentials
- Obtain the
accessToken,refreshToken, andsecretKeyrequired for subsequent business API calls
Optional: Follow the cURL walkthrough in Recipes
Open the Request an access token with cURL Recipe to see the request body, required headers, cURL command, and example success and failure responses side by side.
Use this page for the signing rules and parameter definitions, then use the Recipe when you want a request flow you can copy and adapt.
2. Call Business APIs
Applicable range:
GET /apis/v1/**POST /apis/v1/**
Purpose:
- Use
accessTokento access business APIs - Use
secretKeyto generate the request signature for business APIs
3. Refresh Access Credentials
Call:
POST /apis/v1/refresh-token
Purpose:
- Request a new set of access credentials after
accessTokenexpires by usingrefreshToken
API Integration Details
Header Requirements
Common Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Yes | Must be application/json |
PexxApiKey | Yes | Merchant API key |
X-TIMESTAMP | Yes | Unix timestamp in seconds |
X-NONCE | Yes | Unique random string for each request; recommended maximum length is 32 characters |
X-SIGNATURE | Yes | Request signature, Base64-encoded |
Additional Header for Business APIs
| Header | Required | Description |
|---|---|---|
PexxAuthorization | Yes | Format: Bearer {accessToken} |
Signing Rules
1. Signature for access-token / refresh-token Requests
access-token / refresh-token RequestsApplicable APIs:
POST /apis/v1/access-tokenPOST /apis/v1/refresh-token
Signature algorithm:
SHA256withRSA
String to sign:
METHOD:path:sha256(minifyJson(body)):apiKey:merchantCode:timestamp:nonceExample:
POST:/apis/v1/access-token:sha256(body):your-api-key:your-merchant-code:1714291200:6f2e7c1a4d9b4c2f9c7d1e3a5b6f8a0cNotes:
METHODmust be uppercase, for examplePOSTpathmust use the actual request path, for example/apis/v1/access-tokenbodymust be serialized in a stable format before hashing- The signature result must be Base64-encoded and passed in
X-SIGNATURE
2. Signature for Business API Requests
Applicable APIs:
- All other
/apis/v1/**business APIs except/apis/v1/access-tokenand/apis/v1/refresh-token
Signature algorithm:
HmacSHA512
String to sign:
METHOD:path:accessToken:sha256(minifyJson(body)):timestamp:nonceExample:
POST:/apis/v1/user/balance/list:your-access-token:sha256(body):1714291200:6f2e7c1a4d9b4c2f9c7d1e3a5b6f8a0cNotes:
- The
secretKeyreturned by/apis/v1/access-tokenis the HMAC key - The
accessTokencarried inPexxAuthorizationmust match theaccessTokenused in the string to sign - An empty request body participates in signing as an empty string
API Specifications
1. POST /apis/v1/access-token
POST /apis/v1/access-tokenPurpose:
- Request access credentials
Request body parameters:
| Parameter | Required | Type | Description |
|---|---|---|---|
merchantCode | Yes | string | Merchant identifier |
grantType | Yes | string | For the current integration, client_credentials is recommended |
businessId | No | string | Specify the business user identifier; if omitted, the merchant's primary business user will be used by default |
Response parameters:
| Parameter | Type | Description |
|---|---|---|
merchantCode | string | Merchant identifier |
businessUserId | string | The actual business user identifier for which the credentials are issued |
accessToken | string | Access token for business API calls |
refreshToken | string | Refresh token for renewing access credentials |
secretKey | string | Signing key for business API requests |
accessTokenExpiresIn | long | Remaining validity period of accessToken, in seconds |
refreshTokenExpiresIn | long | Remaining validity period of refreshToken, in seconds |
timestamp | long | Credential issuance time, Unix timestamp in seconds |
2. POST /apis/v1/refresh-token
POST /apis/v1/refresh-tokenPurpose:
- Refresh access credentials
Request body parameters:
| Parameter | Required | Type | Description |
|---|---|---|---|
merchantCode | Yes | string | Merchant identifier |
refreshToken | Yes | string | Refresh token for renewing access credentials |
Response parameters:
| Parameter | Type | Description |
|---|---|---|
merchantCode | string | Merchant identifier |
businessUserId | string | The actual business user identifier for which the credentials are issued |
accessToken | string | New access token for business API calls |
refreshToken | string | New refresh token for renewing access credentials |
secretKey | string | New signing key for business API requests |
accessTokenExpiresIn | long | Remaining validity period of accessToken, in seconds |
refreshTokenExpiresIn | long | Remaining validity period of refreshToken, in seconds |
timestamp | long | Credential issuance time, Unix timestamp in seconds |
3. General Requirements for Business APIs
Purpose:
- Use the access credentials to call specific business APIs
General requirements:
PexxAuthorization: Bearer {accessToken}must be included in the request header- The request must generate
X-SIGNATUREaccording to the business API signing rules - The request and response parameters of each specific business API are subject to its corresponding API documentation
Authentication Failure Response
Response Structure
When authentication fails, the response body uses the following common fields:
| Field | Description |
|---|---|
code | Response code |
msg | Error description |
data | Business data; usually empty on failure |
Error Codes
| Type | Value | Description |
|---|---|---|
| HTTP status code | 401 | Returned when required headers are missing, the signature is invalid, the token is invalid, or authentication fails |
| Business error code | 1004 | INVALID_ACCESS, invalid access, for example merchant mismatch or invalid credentials |
| Business error code | 1009 | ACCESS_TOKEN_EXPIRED, accessToken has expired |
| Business error code | 1010 | REFRESH_TOKEN_EXPIRED, refreshToken has expired |
Updated 2 days ago