Authentication

This page outlines the OAuth 2.0 authentication process for Bitpanda API Partners. You will receive credentials to securely exchange information and maintain continuous access to the API.

Initial Setup

  1. Environment-Specific Credentials: As a partner, you will receive a client_id and client_secret from Bitpanda:
    • Public Key Submission: Provide us a public GPG/PGP key to ensure encrypted communications.
    • Email Address: Submit an email address to receive technical communications to your Bitpanda solution engineer.
  2. Credential Encryption: Bitpanda will return your encrypted client_id and client_secret, using the public key provided earlier. These credentials are specific to the environment they will be used in.

Token Management

  1. Initial Refresh Tokens: Use the provided client_id and client_secret to issue one or more initial Refresh Tokens.
Note

Refresh Tokens cannot directly call API endpoints.

  1. Access Tokens:
    • Acquisition: Access Tokens are required for API authorization and can be obtained using a valid Refresh Token.
    • Usage: Include the Access Token in the Authorization header of your API requests as follows:
      Copy
      Copied
      Authorization: Bearer [YourAccessTokenHere]
    • Lifetime: Access Tokens are valid for 10 minutes.
  1. Refresh Token Expiry: A Refresh Token will become invalid under the following conditions:
    • 24 hours after issuance.
    • Upon the issuance of a new Access Token using the active Refresh Token.
    • In case you initiate a Refresh Token Revocation due to suspicions of compromise.
Note

It is not necessary to request a new initial Refresh Token each time you need a new Access Token. Instead, use the Refresh Token obtained from your previous Access Token request to receive a new pair of Refresh and Access Tokens.