Integrate

API Authentication

To start using Brite’s API, the first step is to authenticate your access. We use OAuth 2.0 for this, requiring your unique API credentials: a public_key and a secret.

You can find them in the Brite Back Office for sandbox or production. If you’re unsure if you already have an active set, it’s a good idea to check with your colleagues.

1. Generate an access token

Once you have your credentials, include them in the POST /api/merchant.authorize API call. Brite will then provide an access_token, an expires timestamp, and a refresh_token.

Request to generate a new access token

				
					POST /api/merchant.authorize HTTP/1.1
Host: sandbox.britepaymentgroup.com
Content-Type: application/json

{
    // This is a fake public_key, replace with your PUBLIC KEY
    "public_key": "sandbox-7d2fcc4d92ccbc8db155a51e4ba1e6991cc7cff1",
    // This is a fake secret, replace with your SECRET
    "secret": "c135b4ebbd50563ae2363e8aaa7d80147b318fe4"
}

Response - HTTP 200

				
					HTTP 200 OK
{
    "access_token": "d98479174cac814bc9ddee617885694d8d9d10b11175d13872d3364a450961e94f7d296dec956f81",
    "expires": 1741903012.0,
    "refresh_token": "503b3b90a175f30c84f1dcf57af379e018d383f64d533ea910ccfd14c1a1a384b0013b4ee84c6352"
}

access_token
Your access_token is a temporary credential, typically valid for 6 hours from its creation. A new access_token is generated with each request, meaning you can have multiple active tokens.

We recommend reusing your access_token for as long as possible and refreshing it with your refresh_token well before its expiration. For example, aim to refresh it around 30 minutes prior to expiry. This proactive approach ensures your system always has a valid token.

expires
This is the timestamp (in Unix epoch format, represented in seconds) indicating when your access_token will expire. It’s usually 6 hours after the token was created.

refresh_token

The refresh_token lets you get a new pair of access_token and refresh_token at any time, as long as the refresh_token itself is valid. Importantly, your previous access_token and refresh_token remain valid until their original expiration times.

2. Use the access token

The access_token acts like a temporary key, letting you access protected resources. For all your subsequent API calls, just include this access_token in your request header using the Bearer token authentication scheme.

				
					
Authorization: Bearer <YOUR_ACCESS_TOKEN>

3. Refresh the access token

Security Alert! Access Token Management Please note that excessive generation or refreshing of access tokens can create security vulnerabilities. You're responsible for the secure handling of your access tokens.

You should generate one access token and reuse it for all requests until it’s close to its expiration. Then, use your refresh token to get a new one, and continue this practice throughout your integration.

Request to refresh a access token

				
					POST /api/merchant.token HTTP/1.1
Host: sandbox.britepaymentgroup.com
Content-Type: application/json

{
    // Your currently used access_token
    "access_token": "d98479174cac814bc9ddee617885694d8d9d10b11175d13872d3364a450961e94f7d296dec956f81",
    // The associated refresh_token
    "refresh_token": "503b3b90a175f30c84f1dcf57af379e018d383f64d533ea910ccfd14c1a1a384b0013b4ee84c6352"
}

Response - HTTP 200

				
					HTTP 200 OK
{
    "access_token": "4d851354fe2a6682b5bdc38e3f332b6630a2432d6f024922989dce9f171a662ea92ed9f0ab0df97a",
    "expires": 1743696549.0,
    "refresh_token": "834a4b057450ab3a1d0dadb2bad428f70e277f20839532df42291e1f2d2efc460aa6b0bb5fff8cf5"
}

On this page