Authentication

Why it's needed

Authentication is required to ensure that each request comes from an authorized user. You must authenticate using password credentials to obtain an access token that is used in all subsequent API calls.

When to use it

Always begin your API session with authentication. Re-authenticate when the token expires.

Testing Endpoints

You can test these endpoints directly in our API Sandbox.

Authentication Endpoints

Sandbox

POSThttps://35702.tagpay.fr/api/distributor/v1/oauth2/token

Production

POSThttps://35703.tagpay.fr/api/distributor/v1/oauth2/token

Environment Differences

Note that authentication endpoints use different base URLs than the main API endpoints. After authentication, use the standard base URLs:

Sandbox API: https://sandbox.revsto.com/api
Production API: https://login.revsto.com/api

How to Test Authentication

Send a POST request with your credentials using URL-encoded form data.
Verify that the response contains an access_token.
Use this token in the header for further API calls.

Code Examples

cURL
Python
JavaScript

curl --location 'https://35702.tagpay.fr/api/distributor/v1/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={your_username}' \
--data-urlencode 'password={your_password}' \
--data-urlencode 'client_id={your_client_id}' \
--data-urlencode 'client_secret={your_client_secret}'

import requests

url = "https://35702.tagpay.fr/api/distributor/v1/oauth2/token"
payload = {
    "grant_type": "password",
    "username": "{your_username}",
    "password": "{your_password}",
    "client_id": "{your_client_id}",
    "client_secret": "{your_client_secret}"
}
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(url, data=payload, headers=headers)
print(response.text)

fetch("https://35702.tagpay.fr/api/distributor/v1/oauth2/token", {
    method: "POST",
    headers: {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    body: new URLSearchParams({
      grant_type: "password",
      username: "{your_username}",
      password: "{your_password}",
      client_id: "{your_client_id}",
      client_secret: "{your_client_secret}"
    })
  })
    .then(response => response.json())
    .then(data => console.log("Access Token:", data.access_token))
    .catch(error => console.error("Error:", error));

Request Body

Authentication Request

{
  "grant_type": "password",
  "username": "{your_username}",
  "password": "{your_password}",
  "client_id": "{your_client_id}",
  "client_secret": "{your_client_secret}",
  "scope": "profile_view kyc_view user_creation document_management open_identity account_creation account_view account_close user_deactivate event_management transaction_view customer-instruction_view payment-instruction_view customer-instruction_initiation customer-instruction_submission customer-instruction_submit posting"
}

Sample Response

Authentication Response

{
  "token_type": "Bearer",
  "expires_in": 300,
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1MTliNzhkZmM5Z...",
  "refresh_token": "def50200012c9c150fb8147fef20761afc267bc5...."
}

Token Information

Field	Description
`token_type`	Always "Bearer" - indicates the token type
`expires_in`	Token lifetime in seconds (300 = 5 minutes)
`access_token`	The JWT token to use for API requests
`refresh_token`	Token for refreshing the access token (if supported)

Using the Access Token

Include this token in the Authorization header for all subsequent API calls:

Authorization: Bearer your_access_token

Token Security Best Practices

Store Securely: Never store tokens in client-side code or logs
Use HTTPS: Always transmit tokens over secure connections
Implement Refresh: Tokens expire after 5 minutes - implement refresh logic
Monitor Expiration: Track token expiration and refresh before expiry
Revoke When Done: Revoke tokens when no longer needed

Available OAuth Scopes

The following OAuth scopes can be requested when obtaining an access token:

Scope	Description
`profile_view`	View user profiles and identity information
`kyc_view`	View KYC document requirements and status
`user_creation`	Create new user accounts and identities
`document_management`	Upload and manage KYC documents
`open_identity`	Open and activate user accounts
`account_creation`	Create financial product accounts for users
`account_view`	View account information, balances, and details
`account_close`	Close and deactivate accounts
`user_deactivate`	Deactivate user accounts
`event_management`	Create, modify, and delete webhook subscriptions
`transaction_view`	View transaction history and details
`customer-instruction_view`	View customer payment instructions
`payment-instruction_view`	View payment instruction details
`customer-instruction_initiation`	Initiate customer payment instructions
`customer-instruction_submission`	Submit customer payment instructions
`customer-instruction_submit`	Direct submit customer payment instructions
`posting`	Perform internal posting operations

Requesting Scopes

Include the desired scopes in your authentication request by adding the scope parameter:

curl -X POST "https://35702.tagpay.fr/api/distributor/v1/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=your_username&password=your_password&scope=profile_view kyc_view user_creation document_management open_identity account_creation account_view account_close user_deactivate event_management transaction_view customer-instruction_view payment-instruction_view customer-instruction_initiation customer-instruction_submission customer-instruction_submit posting"

Recommended for Distributors

For distributor integrations, it's common practice to provide all available scopes to ensure full API access and avoid scope-related errors during development and production operations. We recommend requesting all scopes rather than analyzing specific requirements for each endpoint:

profile_view kyc_view user_creation document_management open_identity account_creation account_view account_close user_deactivate event_management transaction_view customer-instruction_view payment-instruction_view customer-instruction_initiation customer-instruction_submission customer-instruction_submit posting

This approach simplifies integration and ensures your application can access all necessary functionality without needing to request additional scopes later.

Common Authentication Errors

Status Code	Error	Solution
400 Bad Request	Missing or invalid parameters	Check all required fields are provided
401 Unauthorized	Invalid credentials	Verify username, password, client_id, and client_secret
403 Forbidden	Insufficient permissions	Contact Revsto to verify API access is enabled
429 Too Many Requests	Rate limit exceeded	Implement backoff strategy

Environment Testing

Always test authentication in the sandbox environment first:

Sandbox Testing: Use sandbox credentials with the sandbox auth URL
Token Validation: Test the received token with a simple API call
Error Handling: Implement proper error handling for authentication failures
Production Migration: Only move to production after thorough sandbox testing

caution

Never use production credentials in the sandbox environment, and never use sandbox credentials in production.

Why it's needed​

When to use it​

Testing Endpoints​

Authentication Endpoints​

Sandbox​

Production​

How to Test Authentication​

Code Examples​

Request Body​

Sample Response​

Token Information​

Token Security Best Practices​

Available OAuth Scopes​

Requesting Scopes​

Common Authentication Errors​

Environment Testing​