xpendB2B
Get started

Authentication

Long-lived API credentials for server-to-server calls; short-lived JWTs for the merchant console.

Always call Xpend from your backend

API credentials grant full merchant scope. Treat them like a database password, never ship them to a browser, mobile app, or public repo.

API credentials

All requests use a Bearer credential. Server-to-server merchant API calls use a long-lived API credential created in the console or through the merchant platform API and scoped to a merchant environment.

Authorization: Bearer key_01HXY....plaintext_secret

Verify a credential

Confirm that a key works and inspect its scopes with GET/v1/merchant/principal.

Token login

The console login flow exchanges merchant login credentials for an access token suitable for Bearer authentication.

Rotation & revocation

  • Create the new credential first, deploy it, then revoke the old one.
  • Rotate at least every 90 days for live keys.
  • Revoke immediately on suspected leak, no grace period.

Console JWT

Short-lived JWTs are issued for browser usage in the merchant console. These are not interchangeable with API credentials and cannot be used for server-to-server traffic.

Ready to build?
Get an API key

Sandbox-only credentials, no card required.

Stuck on something?
Talk to a human

DevRel responds in office hours.

PreviousQuickstartNextEnvironments