Authorization
In order to integrate with our CM.com Online Payments API you need to be authorized. The current authorization process follows the standard OAuth 2.0 client credentials flow:
Client Credentials Flow
The Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4) requires an application exchanging its application credentials (clientID and clientSecret) for an access token. The access token should be provided as a Bearer token in the Authorization header on subsequent calls to the API.
How does it work?
In the diagram above the following steps are performed:
- You make a request to Get an access token. This is a request to our public
oauth2/tokenAPI endpoint using the API credentials (clientID and clientSecret) provided by CM. - If you get a successful response an
access_tokenwill be retrieved. Theaccess_tokenhas a lifetime (indicated byexpires_inon the retrieved response), so you can use the sameaccess_tokenasBearertoken in several subsequent calls to the API as long as the token is not expired. If the token expires there is no refresh token in this flow, so you should do a new request to Get an access token, receive a newaccess_tokenand repeat this step.
You do not have reinvent the wheel in your code because there are already known OAuth2 libraries in many languages that automate this: OAuth libraries.
Get an Access token
Request
curl -X POST \
--url https://api.pay.cm.com/api/v1/authorization/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'client_id=<string>' \
--data-urlencode 'client_secret=<string>' \
--data-urlencode 'grant_type=client_credentials'
Parameter
| Name | Type | Description |
|---|---|---|
| client_id | String | This is part of the API credentials provided by CM. |
| client_secret | String | This is part of the API credentials provided by CM. |
| grant_type | String | This is a fixed value: 'client_credentials' |
Response
{
"access_token": "YWMXMDI0YWQTODU0NI0ZZMRKLWFKOTUTYJQ5MZU0MTI3M2RI",
"expires_in": 3600,
"token_type": "Bearer"
}
Parameter
| Name | Type | Description |
|---|---|---|
| access_token | String | This is the access token that you use as a Bearer token in subsequent API calls. |
| expires_in | Int | The lifetime in seconds of the access token. If the token expires there is no refresh token in this flow, so you should do a new request to Get an access token . |
| token_type | String | This is a fixed value: 'Bearer' |
Make API calls using Access token as Bearer token
Bearer tokenOnce you made the request to Get an access token you can use the retrieved access_token as Bearer token in your subsequent API calls as long as the token is not expired.
Example, given "access_token": "YWMXMDI0YWQTODU0NI0ZZMRKLWFKOTUTYJQ5MZU0MTI3M2RI" we make an API call to create a checkout transaction using the access_token as Bearer in the Authorization header:
curl -X POST \
--url https://api.pay.cm.com/api/v1/paymentmethods/checkout/v1/transactions \
--header 'Authorization: Bearer YWMXMDI0YWQTODU0NI0ZZMRKLWFKOTUTYJQ5MZU0MTI3M2RI' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
...
...
Updated about 2 months ago