Getting Started

Authentication

Securing API access with authentication

Overview

All requests to the CrissCross APIs (Collect, Exchange, and Payouts) require an access token. You obtain a token by calling the Authentication endpoint with your client_id and client_secret, then include the token in the Authorization: Bearer ... header on subsequent API requests.

OAuth 2.0 Authentication

CrissCross uses OAuth 2.0 style access tokens for authenticating API requests across all services. Authentication is machine-to-machine: you request an access token using your client_id and client_secret, then include that token in the Authorization header on subsequent API calls to Collect, Exchange, or Payouts endpoints.

Get an access token

Use the Authentication API endpoint:

  • POST https://api.crisscross.money/v1/auth/oauth2/token

Example: request access token

$curl --request POST 'https://api.crisscross.money/v1/auth/oauth2/token' \
>  --header 'Content-Type: application/json' \
>  --data-raw '{
>    "client_id": "YOUR_CLIENT_ID",
>    "client_secret": "YOUR_CLIENT_SECRET"
>  }'

Token Handling:

  • Access Token: Used to authenticate API requests.
  • Expiration: Tokens expire after expires_in seconds. Store the token until it expires, then request a new one.

Example API Call Using OAuth:

$curl --request GET 'https://api.crisscross.money/v1/<your-endpoint>' \
>  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Handling Authentication Failures

If authentication fails, the API returns a 401 Unauthorized response. Ensure that:

  • The access token is correctly included in the Authorization header.
  • Tokens are not expired or revoked.
  • OAuth clients have the necessary permissions.

Best Practices for Authentication

  • Monitor Usage: Keep track of token usage through the dashboard.
  • Secure Storage: Store tokens securely in environment variables or a secrets manager.
  • Revocation: Immediately revoke compromised tokens.