Getting Started

Authentication

Securing API access with authentication

Overview

All requests to the CrissCross APIs (Collect, Exchange, and Payouts) require an access token. You obtain a token by calling the Authentication endpoint with your merchantId and clientSecret, then include the token in the Authorization: Bearer ... header on subsequent API requests.

OAuth 2.0 Authentication

CrissCross uses OAuth 2.0 style access tokens for authenticating API requests across all services. Authentication is machine-to-machine: you request an access token using your merchantId and clientSecret, then include that token in the Authorization header on subsequent API calls to Collect, Exchange, or Payouts endpoints.

Get an access token

Use the Authentication API endpoint:

  • POST https://api.crisscross.money/v1/auth/oauth2/token

Example: request access token

$curl --request POST 'https://api.crisscross.money/v1/auth/oauth2/token' \
>  --header 'Content-Type: application/json' \
>  --data-raw '{
$    "merchantId": "YOUR_MERCHANT_ID",
$    "clientSecret": "YOUR_CLIENT_SECRET"
$  }'

Token Handling:

  • Access Token: Used to authenticate API requests.
  • Expiration: Tokens expire after expiresIn seconds. Store the token until it expires, then request a new one.

Example API Call Using OAuth:

$curl --request GET 'https://api.crisscross.money/v1/<your-endpoint>' \
>  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Handling Authentication Failures

If authentication fails, the API returns a 401 Unauthorized response. Ensure that:

  • The access token is correctly included in the Authorization header.
  • Tokens are not expired or revoked.
  • OAuth clients have the necessary permissions.

Best Practices for Authentication

  • Monitor Usage: Keep track of token usage through the dashboard.
  • Secure Storage: Store tokens securely in environment variables or a secrets manager.
  • Revocation: Immediately revoke compromised tokens.