Create Token API

API to create an access token (bearer token) used to authenticate other Bank Hub APIs. The token has a limited lifetime and must be refreshed when it expires.

API Endpoint

POST
https://bankhub-api-sandbox.sepay.vn/v1/token

Authentication

This API uses Basic Authentication with login credentials:

  • Username: client_id (provided by SePay to the partner)
  • Password: client_secret (provided by SePay to the partner)
Note
  • Use Basic Authentication: Encode the string client_id:client_secret to Base64 and place it in the header Authorization: Basic {base64_string}
  • Send the request with an empty body
  • The access token is valid for the duration specified by the ttl value (in seconds)
  • When the token expires, call this API again to obtain a new token

Error Handling

401Unauthenticated

Client ID or Client Secret is invalid or disabled

API Response

Response 201 - Token created successfully
{
  "code": 201,
  "access_token": "5e79079684d93027ed1d7e414b04543b1d6ef164",
  "ttl": 60000
}
codeinteger

HTTP status code

access_tokenstring

Bearer token used to authenticate other Bank Hub APIs

ttlinteger

Token validity period (in seconds)

Code Examples

1
2
3
curl --request POST \
  --url https://bankhub-api-sandbox.sepay.vn/v1/token \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

Using the Access Token

After obtaining access_token, you need to use it in the Authorization header with the Bearer format for all other Bank Hub APIs:

Using Bearer Token
Authorization: Bearer 5e79079684d93027ed1d7e414b02343b1d6ef164

Refreshing the Token

The token has a limited lifetime (specified by the ttl field). When the token expires, APIs will return a 401 Unauthorized error. At that point you need to:

  • Call the /v1/token API again to obtain a new token
  • Update the new token in your system
  • Continue using the new token for subsequent APIs
Note
  • Store the token securely and do not expose it on the client side
  • Implement an automatic token refresh mechanism before expiration
  • Handle 401 errors by automatically obtaining a new token and retrying the request
Previous page
Next page