Access token FAQ
What do I do if I've compromised the keys?​
For merchants:
- If you accidentally share your API keys, you must generate new ones by clicking the regenerate button on your business portal sales unit page. See How to regenerate API keys for step-by-step instructions.
For partners:
- For keys other than merchant API keys, contact the partner team. For merchant keys, the merchant needs to generate new ones on the business portal. See How to regenerate API keys for step-by-step instructions.
Update your integrations, so they will continue working.
Why are there two endpoints?​
The new token endpoint follows a fully standard OAuth client credentials flow, which means you can use any of the trusted OAuth libraries to handle token management. We are working towards making this endpoint available for more APIs and use cases over time.
In the meantime, the original accesstoken endpoint continues to work as before, so existing integrations are not affected.
How long is an access token valid?​
With POST:/accesstoken/get, the access token is valid for 1 hour in the test environment
and 24 hours in the production environment.
With POST:/miami/v1/token, the access token is valid for 15 minutes regardless of the environment.