OAuth 2.0 is an open standard for authorisation and works over HTTPS. In Setu's context, it is used to authorise API requests with access tokens. Read more about OAuth 2.0 here ↗.
For Setu products, OAuth keys provide a lot of flexibility—you can setup a single set of keys to authorise requests for multiple product configurations, or authorise requests for a single configuration using multiple sets of keys.
A merchant calls Setu hosted APIs for creating payment links, checking link status, for fetching reports etc. Merchants can use OAuth keys to generate an access token and authorise such API requests with the generate token API explained below.
Note on JWT authentication
The generate token API works only with OAuth keys. If you have implemented JWT auth to call Setu hosted APIs, we recommend upgrading to OAuth soon. We support JWT auth but will not build any further features for it.
Change of URLs for OAuth
Using OAuth requires a change to the Setu API endpoints you call. For eg, if the given endpoint is https://prod.setu.co/api/(path), it would change tohttps://prod.setu.co/api/v2/(path)—notice the /v2 added before the(path).
A new token is provided by Setu in the success response, along with an expiresIn param, which states the validity of the token in seconds (the present default value is 1800 seconds or 30 minutes). You may store and keep reusing the same token till it expires.
Once you have a valid token available against product configuration(s), you can store it and use it to authorise an API call made to Setu, by setting the authorization request header as Bearer <token-value>.
Implement a workflow to generate new token when the old one expires. The general setup might look something like this—
Store clientID and secret.
Generate new token with stored clientID and secret when token has expired. If the API you call returns 401 unauthorized, it could be an indication that the token has expired.
Store the newly generated token and use for subsequent API calls.