Authentication
EgaCard supports user JWT authentication, merchant signed API-key authentication, and signed webhook delivery.
User JWT
- Use JWT for consumer and operator endpoints that act on a signed-in user.
- Rotate refresh tokens and never store access tokens in insecure browser storage.
Merchant HMAC
- Merchants authenticate using `X-EGACARD-API-KEY`, `X-EGACARD-SIGNATURE`, `X-EGACARD-TIMESTAMP`, and `X-EGACARD-IDEMPOTENCY-KEY`.
- Sign the canonical request body using the merchant secret. Reject old timestamps and duplicate idempotency keys.
Endpoints
| Endpoint | Method | Auth | Headers | Notes |
|---|---|---|---|---|
Create access token/api/v1/token/Create a JWT access and refresh token pair. |
POST | Public credentials Valid platform user |
Content-Type: application/json |
Idempotency: Not applicable Sandbox: Supported with sandbox keys and adapters. Production: Available subject to verification, country activation, and provider support. Rate limits: Standard authenticated rate limits |
Refresh access token/api/v1/token/refresh/Rotate an expiring access token. |
POST | Refresh token Authenticated caller |
Content-Type: application/json |
Sandbox: Supported with sandbox keys and adapters. Production: Available subject to verification, country activation, and provider support. Rate limits: Standard authenticated rate limits |
Verify access token/api/v1/token/verify/Check whether a JWT is still valid. |
POST | JWT Authenticated caller |
Content-Type: application/json |
Sandbox: Supported with sandbox keys and adapters. Production: Available subject to verification, country activation, and provider support. Rate limits: Standard authenticated rate limits |