Developer

Partner Docs

Merchant Docs

Authentication

To access our APIs, you'll first need to complete the onboarding process and receive your authentication credentials. Contact the Banked Customer Success team at support@banked.com.

In the onboarding flow you will be asked to choose either Basic or OAuth2 authentication for the integration. OAuth2 is recommended for production environments as it provides enhanced security through token-based authentication and fine-grained access control.

Basic Authentication

Basic Authentication uses static credentials and is simpler to implement, making it suitable for testing or simple integrations. Your credentials will be securely shared with you during onboarding.

All API requests require the following header fields:

  • Authorization: Basic base64(key:secret)- The Base64 encoded string key:secret.
  • Idempotency-Key (Recommended for all non-Get requests): uuid - An idempotency key unique for that request.
See `Idempotency` Docs

OAuth2 Authentication

OAuth2 provides enhanced security through token-based authentication and allows fine-grained access control via scopes, making it the recommended choice for production environments.

If OAuth2 Authentication is the option of choice then we will share with you:

  • API credentials that will be used to generate an access token (these use Basic Auth format):

    json
    API Key: bk_live_1234567890abcdef
Secret Key: sk_live_abcdef1234567890

  • A list of allowed scopes that represent Business Application IDs. Each scope corresponds to a specific business application in your Banked account (e.g., app_12345 for your main store, app_67890 for your mobile app), allowing you to create tokens with limited access for better security.

Tokens expire after 2 hours, so you must rotate your tokens frequently to ensure application security.

Generating an OAuth token

To generate OAuth tokens, send a POST request to the https://api.banked.com/oauth/token. You must create an Authorization header by concatenating your API key and secret key with a colon as a separator, and then base64 encode the resulting string: Authorization: Basic base64(APIkey:secretKey).

The example below shows a scoped token request with the application ID in the data-urlencode field:

Scoped OAuth token request (curl)
curl --location --request POST 'https://api.banked.com/oauth/token' \
--header 'Authorization: Basic base64(key:secret)' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=APPLICATION_ID'

The example below shows the format of the successful token response:

201 Scoped Token Response (json)
{
  "access_token": "YOUR_TOKEN",
  "token_type": "Bearer",
  "expires_in": 7200,
  "scope": "APPLICATION_ID",
  "created_at": 1615831274
}

Once created, you can now use the OAuth token from the access_token field to authenticate your API requests. To authenticate your requests, include HTTP headers as shown below:

  • Authorization: Bearer YOUR_TOKEN- The access_token you retrieved in the previous step.
  • Idempotency-Key (Recommended for all non-Get requests): uuid - An idempotency key unique for that request.
See `Idempotency` Docs

Next

Idempotency

Previous

API Versioning

© 2025 Banked Ltd.

Dark Theme
PrivacyTerms