Skip to content

Target Audience: Administrators

API Users

Introduction

This section describes how to manage API users in PAP

Create an API user

To create your first api user offer you will need to supply some information.

Field Description
Name The name of the API user.
Provision service If the API user is used for provisioning of subscriptions this will be the service in charge of the subscription lifecycle.
Redirect URI The uri to which the user will be redirected to after an auth request. Read more here.
Offline access Will the API users be used with refresh tokens. Read more here.
SSO2 client Will the api user be used with SSO2. Read more here.
Scopes With what scopes will tokens be issued. Read more here.
Origin URLs If the api users will be accessed using CORS you need to define the allowed origins here.

Create api user Example when creating an api user

Implementing the OpenID Standard

To implement the OpenID Standard with Payway, you need to configure an API user with specific OpenID Connect settings. This allows your application to authenticate users through Payway using the standardized OAuth 2.0 and OpenID Connect protocols.

Prerequisites

Before configuring OpenID, ensure that your API user has the following enabled:

  • SSO2 client: Must be enabled to support OpenID Connect authentication
  • Required scopes:
    • /external/account/w - Write access to external account operations
    • /external/me/w - Write access to user profile operations
    • /api/authorization/token_info - Required for the UserInfo endpoint to validate and fetch information about the previously issued access token
    • /openid - Core scope that enables OpenID Connect authentication and returns the ID token with user identifier
    • /openid/profile - Grants access to user profile claims such as name, preferred username, and other profile information
    • /openid/email - Grants access to the user's email address and email verification status
    • /openid/offline_access - Enables refresh tokens to obtain new access tokens without requiring user re-authentication

Offline Access

Note that the /openid/offline_access scope is only used for the Offline access permission between your application and the OpenID protocol. The API User must also have "Offline access" enabled in order for refresh tokens to be issued.

Configuration Availability

OpenID configuration can only be added to existing API users. You must first create an API user before you can configure OpenID settings.

Configuration Steps

Navigate to your API user settings in PAP and select Configure OpenID to set up the following parameters:

Field Description
Account login URL The URL pointing to your implementation's login page. By default, this is set to the PCP login URL, but you can customize it to point to your own authentication page where users will enter their credentials.
Redirect URL The callback endpoint in your application as defined by the OpenID Standard. This endpoint should catch the code parameter returned after successful authentication, validate it, and send it back to the OpenID Token endpoint to exchange it for access tokens.
Post Logout Redirect URL The URL where the user will be redirected after successfully logging out. This allows you to control the post-logout experience and direct users to an appropriate landing page after their session has been terminated.
Allowed grant types Configure both authorization_code and refresh_token grant types. The authorization code flow is used for the initial authentication, while refresh tokens allow your application to obtain new access tokens without requiring the user to re-authenticate.
Require PKCE Boolean flag that enforces the use of PKCE (Proof Key for Code Exchange) in the authorization flow. When enabled, clients must provide a code challenge during authorization and corresponding code verifier during token exchange. Recommended for public clients such as mobile applications and single-page applications to prevent authorization code interception attacks.

OpenID Connect Flow

Once configured, the authentication flow works as follows:

  1. User initiates login and is redirected to the Account login URL
  2. After successful authentication, the user is redirected back to your Redirect URL with an authorization code parameter
  3. Your application validates the code and exchanges it for access and refresh tokens by calling the OpenID Token endpoint
  4. The access token can be used to make authenticated API requests to Payway

This configuration provides a complete OpenID Connect implementation that complies with the OpenID Standard, enabling secure authentication and authorization for your application.

For detailed implementation instructions, including endpoint URLs for both staging and production environments, see the OpenID Connect integration documentation.

Disable API user

While deleting API users in Payway is not supported, the functionality to disable an API user exists. Simply navigate to the API user you would like to disable, and at the bottom of the page, you will have option to do so. Please note that disabled API users cannot be used to perform any kind of request, and as such, this action should be done with caution.

Where can find I API users in PAP

  • Security => API Users