Gr4vy uses Bearer (Token) Authentication to authenticate any API request. The tokens used in these requests are JSON Web Tokens (JWT) that can be created server side. All API requests must be made over HTTPS and any API calls made to HTTP will not be accepted.
In this guide we will show you how to:
- Use Bearer (Token) Authentication to authenticate a single API call.
- Create the cryptographic key-pair used to sign a JWT.
- With a key-pair in hand you can then either
Learn more about JWT
jwt.io to learn more about JWT and the tools
available in your programming language to create and validate them.
Every Gr4vy APIs that requires authentication expect
with a signed JWT token as it's value (prefixed with
To sign a JWT you will need to register a new cryptographic key-pair with your Gr4vy instance. A key-pair consist of the public and a private keys that will be used to sign (and subsequently verify) the JWT.
To create a new API key-pair visit the Integrations panel in your admin console and generate and download a new API key-pair. You can store the key-pair with your code or store it in a secure environment accessible to your application.
JWTs can be generated using one of our SDKs, or manually using a compatible JWT library. For your convenience we recommend using one of our SDKs as they make the process a lot easier.
First, install the SDK.
Then, initialize the client with your private key and generate the token.
Automatic authentication using SDKs
The SDKs actually make it easy to make direct API calls without needing to use the token. Still, generating a token to be used outside of the SDK can be useful in a micro-services architecture. In all other situations use the built-in SDK methods for making an API call.
In some cases you might not want to use one of our SDKs, or an SDK in your
language might not be available. In those cases you can construct, and sign the
JWT with one of the many libraries available on
At the high level a JWT is build up out of 3 pieces:
- A header defining the algorithm and key used to create the JWT.
- A set of claims that define the token's scope and other permissions.
- A cryptographic signature based on the header and the claims, signed using your private key.
Combine, these 3 pieces make up the JSON Web Token (JWT). See
jwt.io for more details on the specification and available
libraries for generating JWTs.
The JWT header defines the type of encryption algorithm as well as the private key used to generate the signature.
alg are fixed and do not allow for other values. The
the ID of your private key, which you can find in the Integrations panel of
your dashboard. The
kid is also the so-called thumbprint of your JWT
key. Some libraries can automatically calculate this thumbprint based off the
The claims define when the token was created and what access it has.
The API supports the following JWT claims.
|A unique ID that represents your code making this call. This helps identify what library made an API call to Gr4vy.||Yes|
|The unix timestamp that this token was created at.||Yes|
|The unix timestamp that this token expires at.||Yes|
|A random unique ID used for cryptographic entropy. This needs to be unique between API calls.||Yes|
|A list of scopes that give this token access to the API.||Yes|
|A dictionary of key-value pairs used to pin the amount, currency, and buyer info for use in Gr4vy Embed.||No|
The API supports the following values for the
|Allows read-access to any resource. This is used by default in the SDKs|
|Allows write-access to any resource. This is used by default in the SDKs. This does not also allow read access.|
|Allows read-access to a type or resource. For example, |
|Allows write-access to a type or resource. For example, |
|A scope that represents all the access needed by Gr4vy Embed.|
Finally, the JWT signature is generated by appending the Base64-encoded header
and claims (separated with a
.) and run it through the
The assembled JWT is then formed by appending the Base64-encoded header, claims, and signature separated by a full stop.