API Access Token
Airwallex uses an API key and Client ID to authenticate requests, keys are managed via the Airwallex Webapp. Do not share your API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
All API requests must be made over HTTPS. Only PCI-DSS recommended TLS versions and cipher suites are supported.
POST /api/v1/authentication/login
Obtain access token
POST /api/v1/authentication/login
Obtain an access token by specifying your x-client-id and x-api-key in the HTTP request header. Include the access token you receive in the Authorization: Bearer [token] header when calling other endpoints. The access token remains valid for 30 minutes and can be reused until it expires. Always refer to the expires_at field for the exact expiration time.
If your scoped API key includes permissions for multiple accounts, include the x-login-as header to specify the target account that the returned access token is authorized for. If the scoped API key also includes organization-level permissions, the access token would automatically have access to organization-level resources. For more details, see Manage API keys .
Token expiration time in ISO8601 format
Authentication token returned
| Error status | Description |
|---|---|
| 400 | Bad request. Data provided is either incomplete or malformed. |
| 401 | Possible errors: |
| 403 | Forbidden. The request was denied due to insufficient permissions |
| 429 | Too many requests |
| 500 | Service unavailable |
$curl --request POST \> --url 'https://api-demo.airwallex.com/api/v1/authentication/login' \> --header 'x-api-key: <string>' \> --header 'x-client-id: <string>'
1{2 "token": "eyJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE2MjQwMDAwMDAsImV4cCI6MTYyNDAwMTgwMH0.example",3 "expires_at": "2021-06-18T16:30:00+0000"4}