Authorization

Fetch Auth Token API

Merchant backend should call this API to get an auth token, which will be used to authorize the subsequent API calls between the Merchant & PhonePe backend.

  • The generated token can be used to make multiple API calls until it expires.
  • Merchant can save the token and rely on the “expires_at” field for the expiry of the token, within which the token should be refreshed by using the same API.

Host Details

EnvironmentValue
UAThttps://api-preprod.phonepe.com/apis/pg-sandbox
PRODhttps://api.phonepe.com/apis/identity-manager

Endpoint

/v1/oauth/token – Endpoint is common for UAT and Production.

Complete Host Details

EnvironmentHttp MethodValue
UATPOSThttps://api-preprod.phonepe.com/apis/pg-sandbox/v1/oauth/token
PRODPOSThttps://api.phonepe.com/apis/identity-manager/v1/oauth/token

Request Details

Request Headers

Header NameHeader Value
Content-Typeapplication/x-www-form-urlencoded

Request Parameters

Parameter NameDescription
client_idClient ID shared by PhonePe
client_versionIn case of UAT, client_version value should be 1.
In case of PROD, use the value as received in credentials email.
client_secretClient secret shared by PhonePe
grant_typeValue will be “client_credentials”

Sample Request

curl --location 'https://api-preprod.phonepe.com/apis/pg-sandbox/v1/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=CLIENT_ID' \
--data-urlencode 'client_version=1' \
--data-urlencode 'client_secret=CLIENT_SECRET' \
--data-urlencode 'grant_type=client_credentials'

NOTE : Above CURL has the UAT Host URL and the dummy data for client_id and client_secret. Ensure to replace with the appropriate values.

Response Body

{
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHBpcmVzT24iOjE3MjA2MzUzMjE5OTYsIm1lcmNoYW50SWQiOiJWUlVBVCJ9.4YjYHI6Gy6gzOisD_628wfbaI46dMSc5T_0gZ2-SAJo",
    "encrypted_access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHBpcmVzT24iOjE3MjA2MzUzMjE5OTYsIm1lcmNoYW50SWQiOiJWUlVBVCJ9.4YjYHI6Gy6gzOisD_628wfbaI46dMSc5T_0gZ2-SAJo",
    "expires_in": null,
    "issued_at": 1706073005,
    "expires_at": 1706697605,
    "session_expires_at": 1706697605,
    "token_type": "O-Bearer"
}

Response Parameters

Parameter NameData TypeDescription
access_tokenStringToken generated at PhonePe, Generated token will remain valid for a specific time and this can be checked by referring to the “expires_at” field. After expiry, the token must be refreshed using the same API.
issued_atDateTimeToken generated timestamp in epoch.
(in seconds)
expires_atDateTimeToken expiry timestamp in epoch.
(in seconds)
token_typeStringType will be “O-Bearer”.

Note: Merchants should rely on the following response parameters.

  • access_token – The TOKEN that has to be used in the API calls with PhonePe.
  • expires_at – The validity of the TOKEN (in seconds)