Access token FAQ
What do I do if I've compromised the keys?​
For merchants:
- If you accidentally share your API keys, you must generate new ones by clicking the regenerate button on your business portal sales unit page. See How to regenerate API keys for step-by-step instructions.
For partners:
- For keys other than merchant API keys, contact the partner team. For merchant keys, the merchant needs to generate new ones on the business portal. See How to regenerate API keys for step-by-step instructions.
Update your integrations, so they will continue working.
Why are there two endpoints?​
The goal is to eventually move all the APIs and keys to using the new token endpoint, which is currently only used by partners for limited specialty uses.
The legacy accesstoken endpoint will continue to work, so integrations will continue to work as before.
There are technical reasons for the two endpoints and the different roles, and there's unfortunately no easy way to "streamline" this for all APIs and roles at once.
How long is an access token valid?​
With POST:/accesstoken/get, the access token is valid for 1 hour in the test environment
and 24 hours in the production environment.
With POST:/miami/v1/token, the access token is valid for 15 minutes regardless of the environment.