Integration
In-depth knowledge
Testing and Go-live
Integrate
API Authentication
To start using Brite’s API, the first step is to authenticate your access. We use OAuth 2.0 for this, requiring your unique API credentials: a public_key and a secret.
You can find them in the Brite Back Office for sandbox or production. If you’re unsure if you already have an active set, it’s a good idea to check with your colleagues.
Request to generate a new access token
POST /api/merchant.authorize HTTP/1.1
Host: sandbox.britepaymentgroup.com
Content-Type: application/json
{
// This is a fake public_key, replace with your PUBLIC KEY
"public_key": "sandbox-7d2fcc4d92ccbc8db155a51e4ba1e6991cc7cff1",
// This is a fake secret, replace with your SECRET
"secret": "c135b4ebbd50563ae2363e8aaa7d80147b318fe4"
}
Response - HTTP 200
HTTP 200 OK
{
"access_token": "d98479174cac814bc9ddee617885694d8d9d10b11175d13872d3364a450961e94f7d296dec956f81",
"expires": 1741903012.0,
"refresh_token": "503b3b90a175f30c84f1dcf57af379e018d383f64d533ea910ccfd14c1a1a384b0013b4ee84c6352"
}
access_token
Your access_token is a temporary credential, typically valid for 6 hours from its creation. A new access_token
is generated with each request, meaning you can have multiple active tokens.
We recommend reusing your access_token
for as long as possible and refreshing it with your refresh_token
well before its expiration. For example, aim to refresh it around 30 minutes prior to expiry. This proactive approach ensures your system always has a valid token.
expires
This is the timestamp (in Unix epoch format, represented in seconds) indicating when your access_token will expire. It’s usually 6 hours after the token was created.
refresh_token
The refresh_token lets you get a new pair of access_token
and refresh_token
at any time, as long as the refresh_token
itself is valid. Importantly, your previous access_token
and refresh_token
remain valid until their original expiration times.
The access_token acts like a temporary key, letting you access protected resources. For all your subsequent API calls, just include this access_token in your request header using the Bearer token authentication scheme.
Authorization: Bearer
You should generate one access token and reuse it for all requests until it’s close to its expiration. Then, use your refresh token to get a new one, and continue this practice throughout your integration.
Request to refresh a access token
POST /api/merchant.token HTTP/1.1
Host: sandbox.britepaymentgroup.com
Content-Type: application/json
{
// Your currently used access_token
"access_token": "d98479174cac814bc9ddee617885694d8d9d10b11175d13872d3364a450961e94f7d296dec956f81",
// The associated refresh_token
"refresh_token": "503b3b90a175f30c84f1dcf57af379e018d383f64d533ea910ccfd14c1a1a384b0013b4ee84c6352"
}
Response - HTTP 200
HTTP 200 OK
{
"access_token": "4d851354fe2a6682b5bdc38e3f332b6630a2432d6f024922989dce9f171a662ea92ed9f0ab0df97a",
"expires": 1743696549.0,
"refresh_token": "834a4b057450ab3a1d0dadb2bad428f70e277f20839532df42291e1f2d2efc460aa6b0bb5fff8cf5"
}