Skip to content

Acquiring a bearer token

Use the OAuth 2.0 token exchange to retrieve an access token that can be used in subsequent requests to Worldline REST APIs.

This section will guide through the details on how to successfully create a signed and base64 encoded JWT which will be posted to Worldline to exchange that for an access token.

There are several libraries that can aid you in creation of a JWT, and using the information here you can create one. For reference, see reference guide on JWT with OAuth 2.0.

Create the JWT

A JSON Web Token is composed of three parts: a header, a claim set and a signature. The header and claim set are JSON objects, serialized to UTF-8 bytes and encoded using Base64url encoding. The header, claim set and signature are concatenated together with a period “.” character.

1. Construct the JWT header

Create an encoded_JWT_Header:


2. Base64url encode the JWT Header

Base64URL encode the header, as defined in The result should be similar to:


3. Construct a JSON claim set

The claim set will have the atttributes iss, aud, exp, iat, and the optional consumerid

Example claim set is shown below:

  "aud": "drwp",
  "iss": "application-1@123456789",
  "scope": "OrderProcessingService:GET:/v2/merchants/{mid}/orders/{orderId}",
  "exp": 1559062205,
  "iat": 1559062145

4. Base64url encode the claim set.

Result will be like, call this encoded_JWT_Claims_Set.


5. Concatenate the header and claim set

Create a new string header_payload_encoded for the encoded JWT Header and the encoded JWT Claims Set as follows:

header_payload_encoded = encoded_JWT_Header + "." + encoded_JWT_Claims_Set

Note the . on the first line of the payload:


6. Create a signature of the payload

Sign the resulting string using SHA256 with RSA, and Base64url encode the result.

7. Concatenate the payload and signature

Create a new string jwt_final_encoded, in the following format:

jwt_final_encoded = header_payload_encoded + "." + base64_encoded_signature

The result should be similar to below where the signature part is highlighted.


Exchange the JWT for a bearer token

8. Send the JWT

POST /v2/oauth2/tokens HTTP/1.1
Host: auth-endpoint
Content-type: application/x-www-form-urlencoded

curl -s -X POST \
     -H "Content-type: application/x-www-form-urlencoded" \
     auth-endpoint \
     -d "jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiAiZHJ3cCIsImlzcyI6ICJhcHBsaWNhdGlvbi0xQ...(abbreviated)"

9. Read the bearer token

The Worldline security service will, given that there is an active application user and that the JWT is correct, return a bearer token that is valid for a specified period of time.

HTTP/1.1 201 Created
Cache-Control: no-store
Content-Type: application/json
Date: Thu, 23 May 2019 17:59:54 GMT
Pragma: no-cache
Content-Length: 119


Call a secured service

At last, we will use the bearer token to call on a Worldline service:

10. Use the bearer token

GET /v2/merchant/1234567890/orders/my-order-1 HTTP/1.1
Host: transactions-endpoint

Authorization: Bearer 6c4fd6d6bee22f557cf65d9c06ebb8f6d5a43e
curl -X "Authorization: Bearer 6c4fd6d6bee22f557cf65d9c06ebb8f6d5a43e" \