Authentication
Below endpoints allow you to obtain the access token required for accessing protected resources in the API. To obtain the access token, you need to make a request to the '/api/access-token' endpoint with the necessary credentials. Once you have obtained the token, it needs to be included as a header in all subsequent requests to protected endpoints. The 'Authorization' header should be set as 'Bearer [access_token]' for authentication.
This section of the documentation covers the process for obtaining two types of access tokens: the management token and the business token. Both tokens are acquired through the '/api/access-token' endpoint, but they serve different purposes and scopes.
Get Management access token
Send these values as params in the POST body and get the access token.
Parameters
- Name
client_id- Type
- string
- Description
Pass your client id given by Crater
- Name
client_secret- Type
- string
- Description
Pass your client secret given by Crater
- Name
type- Type
- string
- Description
Pass management as the type of token you want to generate.
- Name
scope- Type
- string
- Description
Pass * if you want all scopes or pass comma separated list of selected scopes. See all scopes below.
Keep your management access token safe! Don't expose your management access token to frontend. It's supposed to be used only on backend since it grants access to all businesses on the platform.
Request
curl --request POST \
"https://payments.your-domain.com/api/access-token" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--data "{
\"client_id\": \"your-client-id\",
\"client_secret\": \"your-client-secret\",
\"type\": \"management\",
\"scope\": \"*\"
}"
Response
{
"token_type": "Bearer",
"type": "management",
"expires_in": 31536000,
"access_token": "your-bearer-token"
}
Get Business access token
Send these values as params in the POST body and get the business access token.
Parameters
- Name
client_id- Type
- string
- Description
Pass your client id given by Crater
- Name
client_secret- Type
- string
- Description
Pass your client secret given by Crater
- Name
business_id- Type
- string
- Description
ID of the business for which you want to get the access token.
- Name
type- Type
- string
- Description
Pass business as the type of token you want to generate.
- Name
scope- Type
- string
- Description
Pass * if you want all scopes or pass comma separated list of selected scopes. See all scopes below.
Request
curl --request POST \
"https://payments.your-domain.com/api/access-token" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--data "{
\"client_id\": \"your-client-id\",
\"client_secret\": \"your-client-secret\",
\"business_id\": \"your-business-id\",
\"type\": \"business\"
\"scope\": \"*\"
}"
Response
{
"token_type": "Bearer",
"type": "business",
"expires_in": 31536000,
"access_token": "your-bearer-token"
}
Example Request using the bearer token returned from the above request.
Here's how to add the token to the request header using cURL:
Example request with bearer token
curl https://payments.your-domain.com/v1/businesses \
-H "Authorization: Bearer {token}"
Management Token vs Business Token
Understand the difference between the two types of access tokens.
Management Token
- Purpose: Grants access to all businesses and their respective data across the platform. Mainly used for backend integration and administrative purposes (e.g. creating new businesses, etc.).
- Scope: Wide-ranging, ideal for administrative or supervisory roles that require access to multiple businesses.
- Generation: Follow the standard token generation process without specifying a business ID.
Business Token
- Purpose: Restricts access to data pertaining to a single specified business. Mainly used for frontend sdk integration.
- Scope: Limited to one business, ensuring data isolation and security.
- Generation: Requires the inclusion of a
business_idparameter in the token generation request.
Scopes
Scopes define the level of access a token will have to resources in Crater.
| Resource | Read Scope | Write Scope | Accessible Using |
|---|---|---|---|
| Business | businesses-read | businesses-write | Management token |
| Item | items-read | items-write | Management token, Business token |
| Customer | customers-read | customers-write | Management token, Business token |
| Estimate | estimates-read | estimates-write | Management token, Business token |
| Invoice | invoices-read | invoices-write | Management token, Business token |
| Payment | payments-read | payments-write | Management token, Business token |
| Note | notes-read | notes-write | Management token, Business token |
| TaxType | tax-types-read | tax-types-write | Management token, Business token |
| PaymentMethod | payment-methods-read | payment-methods-write | Management token, Business token |