Authentication
This page outlines the OAuth 2.0 authentication process for Bitpanda API Partners. You will receive credentials to securely exchange information and maintain continuous access to the API.
Initial Setup
- Environment-Specific Credentials: As a partner, you will receive a
client_id
andclient_secret
from Bitpanda:- Public Key Submission: Provide us a public GPG/PGP key to ensure encrypted communications.
- Email Address: Submit an email address to receive technical communications to your Bitpanda solution engineer.
- Credential Encryption: Bitpanda will return your encrypted
client_id
andclient_secret
, using the public key provided earlier. These credentials are specific to the environment they will be used in.
Token Management
- Initial Refresh Tokens: Use the provided
client_id
andclient_secret
to issue one or more initial Refresh Tokens.
Note
Refresh Tokens cannot directly call API endpoints.
- Access Tokens:
- Acquisition: Access Tokens are required for API authorization and can be obtained using a valid Refresh Token.
- Usage: Include the Access Token in the Authorization header of your API requests as follows:
Authorization: Bearer [YourAccessTokenHere]
- Lifetime: Access Tokens are valid for 10 minutes.
- Refresh Token Expiry: A Refresh Token will become invalid under the following conditions:
- 24 hours after issuance.
- Upon the issuance of a new Access Token using the active Refresh Token.
- In case you initiate a Refresh Token Revocation due to suspicions of compromise.
Note
It is not necessary to request a new initial Refresh Token each time you need a new Access Token. Instead, use the Refresh Token obtained from your previous Access Token request to receive a new pair of Refresh and Access Tokens.