- 28 Aug 2023
- 2 Minutes to read
- Print
- DarkLight
Authentication and Authorisation
- Updated on 28 Aug 2023
- 2 Minutes to read
- Print
- DarkLight
Authentication and Authorisation
Calls made to the Access PaySuite Evolve Platform API require authentication in order to verify the identity of the caller and establish what permissions they have within the service.
Master API Keys
In order to make calls to the API endpoints in the Access PaySuite Evolve API a user needs to have an API key to authenticate with the service.
When you sign up to our service you will be given the default API keys needed to access the APIs.
⚠ Currently we are only supporting integration for software providers and so the API Keys to use with the system will be provided to you when the project to integrate with our systems is started. Please contact evolvesupport@theaccessgroup.com to initialise your software provider account and obtain your API keys.
You will receive two master keys from us:
Access PaySuite Evolve Platform API Key – This key is used to access all the API endpoints EXCEPT for the payment API endpoints.
Access PaySuite Evolve Payment API Key – This key is required to process payments and administer your payment related functionality.
These separate keys are required to ensure that we can properly secure your payment processing, which is subject to stringent requirements of PCI Data Security Standards, from the rest of your APIs. This separation allows us to reduce the impact of PCI process on the functionality we can offer from the parts of the Access PaySuite Evolve system that are not involved directly with the processing of payments.
Using your API Keys with the APIs
When making an API call to one of our endpoints the API key needs to be passed in the API_KEY header of the request being sent, an example is shown below:
GET http://secure.test.pay360evolve.com/system/paymentMethods HTTP/1.1
Content-Type: application/json
API_KEY: REPLACE_WITH_YOUR_API_KEY
Keeping your API keys secure
Your API Key should be treated as sensitive data and not shared externally with any untrusted partners. If you lose your API Key or believe it has been compromised then please contact your support contact to have a new API Key issued and your old API Key revoked.
Since the API Key is sensitive data it should never be embedded within a client web page – all calls to the Evolve Platform APIs should be server to server – interactions between a client and the server are authenticated using JWT tokens which are discussed in the User Management API section.
API Keys and Environments
API Keys are only valid for the environment for which they are issues. You cannot use a UAT API Key with the LIVE system or vice versa.