WePay Developer

Access Tokens

An access_token is a unique string of letters and numbers that you pass with every API call, so WePay knows that you have authorization to make that call.

Each access_token is associated with:

  • Your API application
  • The user you are acting on behalf of (for merchants, this is yourself)
  • The permissions your app has for that user

If you include an access_token in an API call, we automatically know the API application and the WePay user for whom the call is being made.

The access token should be passed in the 'Authorization' HTTP request header. It should look like this:

Authorization: Bearer <access-token>

(Just make sure to replace <access-token> with the appropriate access_token.)

Access Token Security

access_tokens are private, so they should never be shared or passed as a GET or POST argument. You should never email your access_token to WePay or to a third-party.

Getting an access_token

If you’re a merchant who only accepts payments from your customers, you can find your access_token on the "API Keys" tab of your app dashboard.

If you’re a platform that facilitates payments for your users, you have to use a different access_token for each user. You can get an access_token for a user via the OAuth2 flow.

If you want to make a call for user #1 you need to use the access_token you have for user #1, and if you want to make a call for user #2, you should use the access token you have for user #2.

Revoked access_token

A revoked access token means that your app can no longer make api calls on behalf of a particular user. Access_tokens can be revoked two ways:

  1. The user goes to their user settings on WePay and manually revokes the access_token.
  2. Your app requests a new access_token via the /oauth2/token call. Each time you make the /oauth2/token call, we revoke all access_tokens for that user that were previously issued to your app. You should only make the /oauth2/token call if the current access_token does not work.