Developers

Search for documents

Dev

Authentication

Every endpoint in the Valpay Internal API requires authentication using a JSON Web Token (JWT) passed as a Bearer token.

Authorization header

Include the token on every request in the Authorization header, prefixed with Bearer:

curl https://api.valpay.com/v1/users/me \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
curl https://api.valpay.com/v1/users/me \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
curl https://api.valpay.com/v1/users/me \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
Token format

Property

Value

Scheme

bearer

Type

HTTP Authorization

Format

JWT

Unauthorized responses

Requests with a missing, malformed, or expired token are rejected with HTTP 401. Some endpoints also return 401 when the token is valid but lacks the required permissions for the operation.

{
  "statusCode": 401,
  "message": "Unauthorized - Invalid or missing token"
}
{
  "statusCode": 401,
  "message": "Unauthorized - Invalid or missing token"
}
{
  "statusCode": 401,
  "message": "Unauthorized - Invalid or missing token"
}
Best practices

Treat tokens as secrets: never log them, never put them in URL query strings, and rotate them if exposure is suspected. API keys for programmatic access are managed separately — see the API Keys resource.

Guides

Getting Started

Authentication

Pagination

Filtering, Sorting & Fields

api

API Keys

Transactions

Deposits

Disputes

Users

Permissions

Client Key

Terminals

Brands

Fee Profile Templates

Industry Codes

Jobs