SePay OAuth2 Overview
Learn about the OAuth2 authentication mechanism for integrating with SePay API.
Introduction
- SePay has implemented the OAuth2 authentication mechanism, making integration with our system easier and more secure for partners.
This document provides detailed guidance on how to use OAuth2 to connect to SePay’s API endpoints.
What is OAuth2?
OAuth2 is a standard authorization protocol that allows third-party applications to access user resources without requiring login credentials.
OAuth2 SePay OAuth2 provides the following benefits:
- Security: No need to share login credentials with third-party apps
- Control: Users can limit the access scope for each application
- Flexibility: Easy to revoke access without changing passwords
- Standardized: Widely supported and adopted by many online services
Benefits of Using OAuth2 with SePay
- Implementing OAuth2 brings several key advantages when integrating with SePay:
Secure authentication without sharing login credentials, minimizing security risks.
Granular access control to each endpoint, helping you manage which data and features can be accessed.
Restrict the access scope for third-party apps, ensuring only necessary permissions are granted.
Token refresh mechanism to maintain secure connection without re-authentication.
Scopes
- SePay defines scopes to control access to specific APIs:
| Scope | Description |
|---|---|
bank-account:read | Permission to read bank account information |
transaction:read | Permission to read transaction information |
webhook:read | Permission to read webhook information |
webhook:write | Permission to write webhook information |
webhook:delete | Permission to delete webhook information |
profile | Permission to read user profile information |
company | Permission to read company information |
- When registering an application, you can request one or multiple scopes.
Users will be prompted to grant access during the authentication process.
OAuth2 Flow Overview
- The OAuth2 flow in SePay follows the standard authentication process with the following steps:
Obtain `client_id` and `client_secret` from SePay via the Developer Portal.
Redirect users to SePay’s authorization screen to grant access.
SePay redirects the user back to your application with an authorization code.
Send an API request to SePay to exchange the authorization code for an access token.
Attach the access token to the header of API requests for authentication.
Use the refresh token to obtain a new access token when it expires.
Detailed instructions for each step in the OAuth2 flow can be found in
Authentication Flow
API Base URL
All SePay OAuth2 APIs share the same base URL:
https://my.sepay.vn/api/v1When making API requests, append the specific endpoint path after the base URL. Example:
| Endpoint | Full URL | Description |
|---|---|---|
/bank-accounts | https://my.sepay.vn/api/v1/bank-accounts | API to retrieve bank account list |
/transactions | https://my.sepay.vn/api/v1/transactions | API to retrieve transaction list |
/webhooks | https://my.sepay.vn/api/v1/webhooks | API to manage webhooks |
/me | https://my.sepay.vn/api/v1/me | API to retrieve current user information |
/companies | https://my.sepay.vn/api/v1/companies | API to retrieve company information |
API Versioning
- The
"v1"part of the base URL represents the API version.
SePay uses versioning to ensure backward compatibility when updates are made.
- Current version:
v1(https://my.sepay.vn/api/v1)
- When a new API version is released, SePay will announce and update the documentation.
We always maintain older versions for a reasonable period to allow applications to upgrade smoothly.
All API requests must include an Access Token in the Authorization header
as described in Access Token