Skip to main content

Client Credentials

POST/v1/token

Get Access Token (Client Credentials)

Use the client_credentials grant type when your server-side code needs to authenticate directly with the RM API — for example, a backend service acting as a trusted merchant. If you need to act on behalf of a specific merchant as a third-party developer, use the Authorization Code flow instead.

This flow requires a Client ID and Client Secret, which you can obtain from the RM Merchant Portal.

Step 1: Get Your Client ID and Client Secret

Go to RM Merchant Portal > Developer > Application.

clientIdStringrequired

Your application's Client ID, found in the Merchant Portal.

Example: 3208919753194101125

clientSecretStringrequired

Your application's Client Secret, found in the Merchant Portal. Click Show to reveal it.

Example: mglve4W3UhPSGOV7gnwoYKyvbRCe83zZ

Step 2: Base64-encode Your Credentials

Concatenate your clientId and clientSecret with a colon, then Base64-encode the result.

Format: clientId:clientSecret

Before encoding:

Plain Credentials
Text
3675930941412424316:wmn7FUauXHdkoYa9182kCMkjGnNJVgin

After Base64 encoding:

Base64 Encoded
Text
MzY3NTkzMDk0MTQxMjQyNDMxNjp3bW43RlVhdVhIZGtvWWE5MTgya0NNa2pHbk5KVmdpbg==

You can use any Base64 encoding tool or the following one-liner:

Terminal
Bash
echo -n "clientId:clientSecret" | base64

Step 3: Set the Request Headers

Include the Base64-encoded credentials in the Authorization header:

Request Headers
Text
Content-Type: application/json
Authorization: Basic MzY3NTkzMDk0MTQxMjQyNDMxNjp3bW43RlVhdVhIZGtvWWE5MTgya0NNa2pHbk5KVmdpbg==

See HTTP Basic Authentication for more details on this scheme.

Request Parameters

grantTypeStringrequired

Must be set to "client_credentials" for this flow.

Example: "client_credentials"

Response Parameters

accessTokenString

Bearer token to include in all subsequent API requests.

Example: eyJhbGci...

tokenTypeString

Token scheme. Always "Bearer".

Example: "Bearer"

expiresInNumber

Access token lifetime in seconds. 2,591,999 seconds ≈ 30 days.

Example: 2591999

refreshTokenString

Use this to get a new access token once the current one expires, without re-sending your credentials. See Refresh Token.

Example: hDzmdhTrn...

refreshTokenExpiresInNumber

Refresh token lifetime in seconds. Store this value to know when you need to re-authenticate from scratch.

Example: 1576799999

Last updated on by Aiman Danish