Authentication

DailyPay API Access

DailyPay adheres to the OAuth 2.0 RFC 6749 and OpenID Connect specifications. This document will walk you through the steps to get an access token your application can use to make requests to the DailyPay Public REST API.

We support the following methods:

Authorization Code Flow: This method is suitable when access to resources requires user consent, such as bank account information or the ability to initiate transfers on behalf of the user.

It allows your application to get access and refresh tokens, facilitating user consent and enabling your application to perform actions on their behalf.
Client Credential Flow: This method is suitable for server-to-server operations, where additional levels of user consent may not be required.

The client credentials grant facilitates the acquisition of an access token independent of a user's protected resources. For instance, you can utilize the Organizations endpoint.

Authorization Code Flow

The purpose of following the OAuth2 flow is to help you retrieve an authorization code and exchange it for an access_token via the request access token endpoint.

1. Register your Application

Your DailyPay contact will ask you to provide

a callback url that can receive the code result of the OAuth 2.0 authorization code flow
links to your privacy policy and terms of service
optionally, a logo for use on the OAuth consent screen

OpenID Connect (OIDC)

For additional security, you may be asked to provide DailyPay with a JSON Web Key Set (JWKS) or url for retrieving your JWKS to utilize signed OIDC requests.

2. Configure

DailyPay will provide configuration values for your application:

client_id
client_secret, if applicable
scopea list of scopes your application can request, which may include "offline_access" and "openid"
redirect_uri the registered callback url you provided

You may wish to use a client library (https://oauth.net/code/) to perform the next steps, using the configuration values above.

3. Initiate an OAuth2 request

Construct the request url using the template below, replacing the {scope}, {client_id}, and {redirect_uri} parameters with the configuration values accordingly.

Additionally, generate a state parameter for the specific request, and a code challenge and verifier (used in a later step) for Proof Key Code Exchange.

https://auth.dailypay.com/oauth2/auth
    ?response_type=code
    &scope={scope}
    &client_id={client_id}
    &redirect_uri={redirect_uri}
    &state={state}
    &code_challenge={code_challenge}
    &code_challenge_method=S256

Example

https://auth.dailypay.com/oauth2/auth
    ?response_type=code
    &scope=user%3aread_write%20openid
    &client_id=your-client-id
    &redirect_uri=https%3A%2F%2Fexample.com%2Fcallback
    &state=9876543fghijklm
    &code_challenge=hKpKupTM391pE10xfQiorMxXarRKAHRhTfH_xkGf7U4
    &code_challenge_method=S256

Make sure to url-encode each parameter e.g. user:read_write becomes user%3aread_write

4. Open a browser window, tab, or secure mobile view to the constructed URL.

The user will be prompted to log in or create a new DailyPay account and will be prompted to allow your application to act on their behalf.

5. Handle the code

Users will be redirected in the open tab to your callback url with a code query parameter, or an error and error_description if the user did not consent to your application's request or otherwise encountered an error. You will also be returned the state parameter.

6. Exchange the code for an Access Token

As also specified in our token endpoint documentation, send the following parameters www-form-encoded in the request body to https://auth.dailypay.com/oauth2/token.

Parameter	Required	Description
grant_type	Yes	Must be set to `authorization_code`.
client_id	Yes	Your client id provided by DailyPay.
code	Yes	The authorization code received from the authorization server.
redirect_uri	Yes	MUST be the redirection URI used in the initial authorization request.
client_secret	Varies	Your client secret, if provided by DailyPay.
code_verifier	Varies	The PKCE verifier matching the code_challenge generated earlier.

Example Request to the Token Endpoint

curl --request POST \
    --url https://auth.dailypay.com/oauth2/token \
    --header 'accept: application/json' \
    --header 'content-type: application/x-www-form-urlencoded' \
    --data "grant_type=authorization_code" \
    --data "client_id={client_id}" \
    --data "code={code}" \
    --data "redirect_uri={redirect_uri}" \
    --data "code_verifier={verifier}"

The resulting access token can be used to make requests to the DailyPay Public REST API:

{
    "access_token": "dpo_38347Ae178B4a16C7e42F292c6912E7710c8",
    "token_type": "bearer",
    "expires_in": 3600,
    "created_at": 1669741580
}

The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 btyes.

Client Credentials Flow

As also specified in our token endpoint documentation, send the following parameters www-form-encoded in the request body to https://auth.dailypay.com/oauth2/token.

Parameter	Required	Description
grant_type	Yes	Must be set to `client_credentials`.
scope	Yes	The space-delimited list of requested scopes
client_id	Yes	Your client id provided by DailyPay.
client_secret	Yes	Your client secret provided by DailyPay.

Example Request to the Token Endpoint

curl --request POST \
    --url https://auth.dailypay.com/oauth2/token \
    --header 'accept: application/json' \
    --header 'content-type: application/x-www-form-urlencoded' \
    --data "grant_type=client_credentials" \
    --data "scope={scopes}" \
    --data "client_id={client_id}" \
    --data "client_secret={client_secret}"

The resulting access token can be used to make requests to the DailyPay Public REST API:

{
    "access_token": "dpo_38347Ae178B4a16C7e42F292c6912E7710c8",
    "token_type": "bearer",
    "expires_in": 3600,
    "created_at": 1669741580
}

The authorization code, access token, and refresh tokens can vary in size but will typically remain under 4096 btyes.

Request access token

Request a Dailypay user access token, as described in the OAuth2 spec. When grant_type is authorization_code, the code and redirect_uri parameters are required. When grant_type is refresh_token, the refresh_token parameter is required.

Request

Request Body schema: application/x-www-form-urlencoded
required

One of:

grant_type required	string The OAuth2 grant type Value: "authorization_code" Example: "authorization_code"
code	string An authorization code received through user authorization flow Example: "50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw"
redirect_uri	string The url redirected to after authorization flow was completed by current user. Exclusively used and required for authorization code grant flow Example: "https://example.com/callback"
code_verifier	string A PKCE verifier matching the challenge submitted during the authorization code request.
client_id required	string The client id of the application requesting the token.
client_secret	string The client secret of the application requesting the token, if available.

Responses

200

DailyPay user access token

Response Schema: application/json

access_token	string Example: "dpo_38347Ae178B4a16C7e42F292c6912E7710c8"
refresh_token	string Example: "dpo_38347Ae178B4a16C7e42F292c6912E7710c9"
token_type	string Example: "bearer"
scope	string Example: "user:read_write"
id_token	string Example: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.4FjJ3eZJYJj7J9Jf"
expires_in	integer Example: 3600

400

Something went wrong when exchanging oauth grant or refresh token for an access token. NOTE: This conforms to the OAuth spec and does not follow the same error pattern as the rest of the API

500

Unexpected error occured

post/oauth2/token

Request samples

Payload
curl

application/x-www-form-urlencoded

grant_type=authorization_code&code=50BTIf2h7Wtg3DAk7ytpG5ML_PsNjfQA4M7iupH_3jw&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&code_verifier=string&client_id=string&client_secret=string

Response samples

application/json

{"access_token": "dpo_38347Ae178B4a16C7e42F292c6912E7710c8",
"refresh_token": "dpo_38347Ae178B4a16C7e42F292c6912E7710c9",
"token_type": "bearer",
"scope": "user:read_write",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.4FjJ3eZJYJj7J9Jf",
"expires_in": 3600
}

➔ Next to Jobs