Get started
To authenticate with the Partner API, use OAuth, a partner access token, or HTTP Basic authentication, depending on your use case.
OAuth
OAuth is for applications that access Airwallex client accounts on behalf of authorized users. It uses the standard authorization code flow , with optional PKCE support for public clients.
To use OAuth, register your application by contacting [email protected]. You will be issued a client_id and client_secret.
1. Redirect the user to the authorization endpoint
Send the user to the authorization URL to start the consent flow. On approval, Airwallex redirects to your redirect_uri with an authorization code.
1https://airwallex.com/oauth/authorize2 ?response_type=code3 &client_id=YOUR_CLIENT_ID4 &redirect_uri=YOUR_REDIRECT_URI5 &scope=YOUR_SCOPE6 &state=YOUR_STATE
2. Exchange the code for an access token
POST the authorization code to the token endpoint. A successful response returns an access_token and a refresh_token.
1curl --request POST \2 --url 'https://api-demo.airwallex.com/oauth/token' \3 --header 'Content-Type: application/json' \4 --data '{5 "client_id": "YOUR_CLIENT_ID",6 "client_secret": "YOUR_CLIENT_SECRET",7 "code": "AUTH_CODE",8 "grant_type": "authorization_code",9 "redirect_uri": "YOUR_REDIRECT_URI"10 }'
3. Call the Client API on behalf of the user
Include the access token as a Bearer token in the Authorization header to call Client API endpoints on behalf of the authorized user.
1curl --request GET \2 --url 'https://api-demo.airwallex.com/api/v1/...' \3 --header 'Authorization: Bearer YOUR_ACCESS_TOKEN'
Partner API access token
Partner API access tokens are for applications that call Partner API endpoints directly, such as lending or factoring APIs, without requiring user authorization. Authenticate using your x-app-id and x-app-secret to obtain a bearer token, which is valid for 30 minutes.
Include the token as a Bearer token in the Authorization header for subsequent Partner API calls.
1curl --request POST \2 --url 'https://api-demo.airwallex.com/partner-api/v1/authentication/login' \3 --header 'Content-Type: application/json' \4 --header 'x-app-id: YOUR_APP_ID' \5 --header 'x-app-secret: YOUR_APP_SECRET'
1{2 "token": "eyJhbGciOiJIUzI1NiJ9...",3 "expires_at": "2026-05-27T00:00:00+0000"4}
HTTP Basic
Basic authentication is for server-to-server calls that do not require user authorization — for example, managing Partner Webhooks. Use HTTP Basic authentication : encode your client_id and client_secret as a Base64 string and pass it in the Authorization header.
Where BASE64_ENCODED_CREDENTIALS is base64(client_id:client_secret).
1curl --request GET \2 --url 'https://api-demo.airwallex.com/partner-api/v1/webhooks' \3 --header 'Authorization: Basic BASE64_ENCODED_CREDENTIALS'