How it works
Token lifecycle
The SDK manages tokens internally through theAuthManager:
- On the first authenticated request, the SDK calls
POST /api/v1/merchant/token/grantwith yourclientIdandclientSecret - The API returns an
access_tokenand anexpires_invalue (in seconds) - The SDK caches the token and converts the expiration to an absolute timestamp
- On subsequent requests, the cached token is reused
- When the token is within 60 seconds of expiring, the SDK automatically requests a fresh one
- Concurrent callers share a single in-flight refresh — no duplicate token requests
Token request
Manual token access
In rare cases you may need the raw access token — for example, to make direct HTTP calls outside the SDK.grantToken() to force a fresh token request regardless of cache state:
Client configuration
| Field | Type | Required | Description |
|---|---|---|---|
environment | "sandbox" | "production" | Yes | Target environment |
clientId | string | Yes | OAuth2 client ID |
clientSecret | string | Yes | OAuth2 client secret |
customUrl | string | No | Override the built-in API base URL |
retryOptions | Partial<RetryOptions> | No | Override default retry behavior |
clientSecretis not exposed onclient.configafter creation — store it separately if you need it for non-SDK purposes. All service methods handle authentication transparently. You only need to interact withgetAccessToken()orgrantToken()if you are making direct HTTP calls outside the SDK.