Grant

Authenticate with your WiPay account credentials to receive an access token and refresh token. Bearer tokens are the standard authentication method for protected WAPI routes, and WiPay PERSONAL accounts can use only this flow. WiPay BUSINESS accounts can also authenticate with WAPI Keys that they create and manage themselves.

This endpoint issues OAuth bearer credentials only. It does not issue WAPI Keys.

Endpoint

POST /auth/tokens

Request

Headers

Body (form-data)

Notes:

• email must be a valid email address.
• password must be at least 8 characters.
• scopes must be a string of valid scope names separated by spaces.
• If the credentials are valid but the account is not allowed to use one or more requested scopes, the backend revokes the newly issued access token and returns 403 Forbidden.

See the Scopes Reference for all available scopes and parent-scope behavior.

Responses

200 OK

{
  "message": "OK",
  "token_type": "Bearer",
  "expires_in": 43200,
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi...",
  "refresh_token": "def50200..."
}

400 Bad Request

{
  "message": "The scopes field has invalid values."
}

401 Unauthorized

{
  "message": "The user credentials were incorrect.",
  "error": "invalid_credentials",
  "error_description": "The user credentials were incorrect."
}

403 Forbidden

{
  "message": "Forbidden"
}

Example

curl -X POST https://ttsb.wipayfinancial.com/wapi/auth/tokens \
  -H "Accept: application/json" \
  -F "email=your@email.com" \
  -F "password=your_password" \
  -F "scopes=wapi-transactions-retrieve wapi-transactions-get-fees"