WePay

API OAuth2 Endpoints

If you are unfamiliar with OAuth2, you should read our OAuth2 authorization tutorial.

The WePay API uses OAuth2 and the two endpoints are:

Production:

Authorization https://www.wepay.com/v2/oauth2/authorize
Token https://wepayapi.com/v2/oauth2/token

Stage:

Authorization https://stage.wepay.com/v2/oauth2/authorize
Token https://stage.wepayapi.com/v2/oauth2/token

/oauth2/authorize

This is the endpoint that you send the user to so they can grant your application permission to make calls on their behalf. It is not an API call but an actual uri that you send the user to. You can either do a full redirect to this uri OR if you want to keep the user on your site, you can open the uri in a popup with our JS library.

Full redirect option

The easiest implementation for OAuth2 is to redirect the user to WePay's OAuth2 authorization uri. The following parameters should be uri encoded to the endpoint uri:

Arguments:

Parameter Required Type Description
client_id Yes Number The client id issued to the app, found on your application's dashboard.
redirect_uri Yes String The uri the user will be redirected to after authorization. Must have the same domain as the application.
scope Yes String A comma separated string list of permissions. Click here for a list of permissions.
state No String The opaque value the client application uses to maintain state.
user_name No String The user name used to pre-fill the authorization form
user_email No String The user email used to pre-fill the authorization form

In this case the request should take the form of a uri with the request parameters uri encoded.

https://www.wepay.com/v2/oauth2/authorize
?client_id=[your client id]
&redirect_uri=[your redirect uri ex. 'http://example.com/wepay']
&scope=[the permissions you want ex. manage_accounts,collect_payments]

When you send the user to this URI they will see the following screen:

WePay API authorization endpoint

Here they have the option to either register with a new email, or to use an existing email. Either way, once they hit "Grant Access", they will be returned to the redirect_uri you specified when you sent them to this page. The following parameters will be url-encoded in the redirect uri and will be needed to make the /v2/oauth2/token call

Response:

Response Type Description
code String The authorization code used to get the access token. This code expires in 10 minutes
state String The opaque value the client application uses to maintain state (same as above, if provided)

OR Keep the user on your site with the OAuth2 popup

If you want users to remain on your site during the OAuth2 flow you can open up the OAuth2 authorize uri in a popup. To do so, you will use our wepay.v2.js JS library and call the WePay.OAuth2.button_init() function. Here is an example of how to make this call:

		
<a id="start_oauth2">Click here to create your WePay account</a>
 
<script src="https://static.wepay.com/min/js/wepay.v2.js" type="text/javascript"></script>
<script type="text/javascript">

WePay.set_endpoint("stage"); // stage or production

WePay.OAuth2.button_init(document.getElementById('start_oauth2'), {
    "client_id":"112894",
     "scope":["manage_accounts","collect_payments","view_user","send_money","preapprove_payments"],
    "user_name":"test user",
    "user_email":"test@example.com",
    "redirect_uri":"http://www.example.com/test",
    "top":100, // control the positioning of the popup with the top and left params
    "left":100,
    "state":"robot", // this is an optional parameter that lets you persist some state value through the flow
    "callback":function(data) { console.log(data); /** This callback gets fired after the user clicks "grant access" in the popup and the popup closes. The data object will include the code which you can pass to your server to make the /oauth2/token call **/ } });

</script>

They will see a button that looks like this:

Click here to create your WePay account

/oauth2/token

Once you have sent the user through the authorization end point and they have returned with a code, you can use that code to retrieve an access token for that user. The redirect uri will need to be the same as in the in /v2/oauth2/authorize step

Note that when you request a new access_token with this call, we will automatically revoke all previously issued access_token for this user. Make sure you update the access_token you are using for a user each time you make this call.

Arguments:

Parameter Required Type Description
client_id Yes Number The client id issued to the app, found on your application's dashboard.
redirect_uri Yes String The uri the user was redirected to after authorization. Must be the same as passed in /oauth2/authorize
client_secret Yes String The client secret issued to the app by WePay - see your client secret on your application's dashboard
code Yes String The code returned by /oauth2/authorize. This code expires in 10 minutes.
callback_uri No String A callback_uri you want to receive IPNs for this user on. If you specify a callback_uri you will receive IPNs with the user_id when the user revokes an access_token or is deleted.

Example:

{
  "client_id":12345,
  "client_secret":"1a2b3c4d5e6f",
  "redirect_uri":"http://example.com/user/oauth2/12345",
  "code":"a35k2j9aeigj43tu09a4ugaoijg0943ug0349ugakj"
}

Response:

Response Type Description
user_id Number The unique user ID of the user
access_token String The access_token that you can use to make calls on behalf of the user
token_type String The token type - for now only "BEARER" is supported
expires_in Number How much time in seconds till the access_token expires. If NULL or not present, the access token will be valid until the user revokes the access_token

Example:

{
  "user_id":12345,
  "access_token":"5220ba86b6c4cbaf6a78ccf60dfe83514eeb8b1ee88f1a58f9de7d818f68",
  "token_type":"BEARER"
}