Authentication
All Open Fabric APIs use an OAuth 2.0 access token (Bearer token) for authentication.
To obtain an access token, you need client credentials:
| Key | Description |
|---|---|
client_id | Identifies your integration. This can be used in client-side applications (web/mobile). |
client_secret | Confidential credential used for server-to-server communication. Do not expose it to third parties. |
Your credentials will be provided during onboarding.
Request an access token
Use the Request access token API.
- curl
curl --request POST \
--url https://auth.openfabric.co/oauth2/token \
--header 'Authorization: Basic <base64(client_id:client_secret)>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials'
OAuth2 scopes
When requesting an access token, you can specify the scopes your integration needs. Use the scope parameter with space-separated scope names (e.g. scope=acct.r txn.r). If not provided, the access token will be generated with all scopes assigned to the API client.
The following scopes are available:
| Scope | Full Name | Description |
|---|---|---|
acct.r | accounts.read | View accounts |
acct.u | accounts.update | Update accounts |
txn.r | transactions.read | View transactions |
txn.c | transactions.create | Create transactions |
txn.u | transactions.update | Update transactions |
card.r | cards.read | Read card information |
mcht.r | merchants.read | View partners |
mcht.c | merchants.create | Create partners |
mcht.u | merchants.update | Update partners |
mcred.r | merchant_credential.read | View partner API credentials, PG credentials, webhook config and PAT config |
mcred.u | merchant_credential.update | Update partner API credentials, PG credentials, webhook config and PAT config |
mcred.d | merchant_credential.delete | Delete partner PG credentials and PAT config |
sub.r | subscriptions.read | View webhook settings |
sub.c | subscriptions.create | Create webhook settings |
sub.u | subscriptions.update | Update webhook settings |
sub.d | subscriptions.delete | Delete webhook settings |
cust.r | customers.read | View customers |
cust.c | customers.create | Create customers |
cust.u | customers.update | Update customers |
cust.d | customers.delete | Delete customers |
wlt.r | wallets.read | View secure device wallets |
wlt.u | wallets.update | Lock/unlock secure device wallets |
wlt.d | wallets.delete | Deactivate secure device wallets |
tkn.r | tokens.read | View tokens |
tkn.u | tokens.update | Lock/unlock tokens |
tkn.d | tokens.delete | Delete tokens |
pm.r | payment_methods.read | View payment methods |
pm.u | payment_methods.update | Lock/unlock payment methods |
pm.d | payment_methods.delete | Delete payment methods |
pat.r | pat_links.read | View pre-approved transaction links |
pat.c | pat_links.create | Create pre-approved transaction links |
pat.u | pat_links.update | Update pre-approved transaction links |
pat.d | pat_links.delete | Delete pre-approved transaction links |
aud.r | audit.read | View audit trail |
sc.r | spend_controls.read | View spend control rulesets |
sc.c | spend_controls.create | Create new spend control rulesets |
sc.u | spend_controls.update | Update spend control rulesets |
sc.d | spend_controls.delete | Delete spend control rulesets |
cp.r | card_programs.read | View card programs |
cp.c | card_programs.create | Create new card programs |
cp.u | card_programs.update | Update card programs |
cp.d | card_programs.delete | Deactivate card programs |