Skip to main content


Gr4vy uses Bearer (Token) Authentication to authenticate any API request. The tokens used in these requests are JSON Web Tokens (JWT) that can be created server side. All API requests must be made over HTTPS and any API calls made to HTTP will not be accepted.

In this guide we will show you how to:

Learn more about JWT

Visit to learn more about JWT and the tools available in your programming language to create and validate them.

Authenticate an API call

Every Gr4vy APIs that requires authentication expect authorization HTTP-header with a signed JWT token as it's value (prefixed with bearer).

curl -i -X GET "https://api.{gr4vyId}" \
-H "authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

Create an API key-pair

To sign a JWT you will need to register a new cryptographic key-pair with your Gr4vy instance. A key-pair consist of the public and a private keys that will be used to sign (and subsequently verify) the JWT.

To create a new API key-pair visit the Integrations panel in your admin console and generate and download a new API key-pair. You can store the key-pair with your code or store it in a secure environment accessible to your application.

JWT using SDK

JWTs can be generated using one of our SDKs, or manually using a compatible JWT library. For your convenience we recommend using one of our SDKs as they make the process a lot easier.

First, install the SDK.

npm install @gr4vy/node --save
# or: yarn add @gr4vy/node

Then, initialize the client with your private key and generate the token.

const fs = require("fs");
const { Client } = require("@gr4vy/node");
const key = String(fs.readFileSync("./private.key"));

const client = new Client({
gId: "acme",
privateKey: key,

const token = client.getBearerToken([""]);
Automatic authentication using SDKs

The SDKs actually make it easy to make direct API calls without needing to use the token. Still, generating a token to be used outside of the SDK can be useful in a micro-services architecture. In all other situations use the built-in SDK methods for making an API call.

Manual JWT

In some cases you might not want to use one of our SDKs, or an SDK in your language might not be available. In those cases you can construct, and sign the JWT with one of the many libraries available on

At the high level a JWT is build up out of 3 pieces:

  • A header defining the algorithm and key used to create the JWT.
  • A set of claims that define the token's scope and other permissions.
  • A cryptographic signature based on the header and the claims, signed using your private key.

Combine, these 3 pieces make up the JSON Web Token (JWT). See for more details on the specification and available libraries for generating JWTs.

JWT header

The JWT header defines the type of encryption algorithm as well as the private key used to generate the signature.

"typ": "JWT",
"alg": "ES512",
"kid": "d757c76acbd74b56"

The typ and alg are fixed and do not allow for other values. The kid is the ID of your private key, which you can find in the Integrations panel of your dashboard. The kid is also the so-called thumbprint of your JWT key. Some libraries can automatically calculate this thumbprint based off the private key.

JWT claims

The claims define when the token was created and what access it has.

"iss": "My JWT Generation Tool",
"nbf": 1607976645,
"exp": 1607976314,
"jti": "0fe1fb1b-2f7e-4c8d-b0eb-aae5d0ec98f7",
"scopes": [""],
"embed": {
"amount": "200",
"currency": "USD",
"buyer_id": "d757c76a-cbd7-4b56-95a3-40125b51b29c"

Supported JWT claims

The API supports the following JWT claims.

issA unique ID that represents your code making this call. This helps identify what library made an API call to Gr4vy.Yes
nbfThe unix timestamp that this token was created at.Yes
expThe unix timestamp that this token expires at.Yes
jtiA random unique ID used for cryptographic entropy. This needs to be unique between API calls.Yes
scopesA list of scopes that give this token access to the API.Yes
dataA dictionary of key-value pairs used to pin the amount, currency, and buyer info for use in Gr4vy Embed.No

Supported scopes

The API supports the following values for the scopes claims.

*.readAllows read-access to any resource. This is used by default in the SDKs
*.writeAllows write-access to any resource. This is used by default in the SDKs. This does not also allow read access.
{resource_name}.readAllows read-access to a type or resource. For example, enabled read-access for buyers data.
{resource_name}.writeAllows write-access to a type or resource. For example, payment-services.write enabled write-access for buyers data. This does not also allow read access.
embedA scope that represents all the access needed by Gr4vy Embed.

Signature & assembly

Finally, the JWT signature is generated by appending the Base64-encoded header and claims (separated with a .) and run it through the ES256 algorithm.

base64UrlEncode(header) + "." +

The assembled JWT is then formed by appending the Base64-encoded header, claims, and signature separated by a full stop.

base64UrlEncode(header) + "." + base64UrlEncode(payload) + "." + base64UrlEncode(signature)