API Authentication

This guide provides comprehensive instructions for authenticating and interacting with our payment API endpoints using JWT (JSON Web Tokens). Follow these guidelines to ensure secure and successful API integration.

Authentication Requirements

All API requests must be authenticated using JWT tokens. The JWT payload must include your Access Key, which remains constant across all requests. The token must be signed using your Secret Key, which varies between sandbox and production environments. Both credentials can be obtained from the self-service portal.

Security Notice: Treat your Secret Key as sensitive information. Never share it with third parties or expose it in your codebase.

API Base URLs

  • Production: https://mip.urbo.lt/api/v1
  • Sandbox: https://mip.urbo.lt/api/v1/sandbox

JWT Structure

A valid JWT token consists of three parts, separated by dots: header.payload.signature

Header

The JWT header must contain the following fields:

  • alg: The signing algorithm (must be "HS256")
  • typ: The token type (must be "JWT")

Example header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The JWT payload must include these mandatory fields:

  • jti: A unique token identifier (random string), max 16 characters.
  • exp: Token expiration timestamp (5 minutes from creation).
  • accessKey: Your project's access key.

Additional fields may be required based on the specific endpoint being called.

Payload example in JSON

{
  "jti": "a3f21d4c8e7b9f01",
  "exp": 1718112345,
  "accessKey": "your-access-key"
  // Additional fields based on endpoint
}

Token Generation examples

const jwt = require('jsonwebtoken');
const crypto = require('crypto');

const payload = {
    jti: crypto.randomBytes(8).toString('hex'),
    exp: Math.floor(Date.now() / 1000) + (5 * 60), // 5 minutes from now
    accessKey: 'your-access-key',
    // Additional fields based on endpoint
};

const token = jwt.sign(payload, 'your-secret', { algorithm: 'HS256' });

Including the Token in Requests examples

To authenticate your API requests, include the JWT token in the Authorization header using the Bearer scheme. Here's how to do it:


curl -X GET https://mip.urbo.lt/api/v1/endpoint \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Accept: application/json"

Note: Always include the word "Bearer" before the token in the Authorization header. The token should be sent without any additional encoding or wrapping.

Errors

Status CodeDescription
400Token is malformed, has invalid format, or required fields are missing.
401Token is missing, expired, reused, or has an invalid signature.
403Payment initiation is not enabled for the project.
404No project found matching the provided accessKey.
422One or more required payload fields are missing or invalid.
429Too many requests from the same project within the allowed time window.