Accessing Resources

Once an access token is obtained, it can be used to access merchant's data on Razorpay APIs. The access is controlled based on the scope requested for and granted by the user during authorization.

Bearer Authorization🔗

The access token needs to be provided in the Bearer Authorization header while requesting Razorpay APIs.

 Request Format Example Request Response
Copycurl -XGET https://api.razorpay.com/v1/payments
	-H "Authorization: Bearer <YOUR_ACCESS_TOKEN>"
Copycurl -XGET https://api.razorpay.com/v1/payments
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjlUNVV.ZeVJzQTlNY3c5In0eyJhdW"
Copy{
   "count":2,
   "entity":"collection",
   "items":[
      {
         "id":"pay_7IZD7aJ2kkmOjk",
         "entity":"payment",
         "amount":29900,
         "currency":"INR",
         "status":"captured",
         "order_id":null,
         "invoice_id":null,
         "international":false,
         "method":"wallet",
         "amount_refunded":0,
         "refund_status":null,
         "captured":true,
         "description":"Purchase Description",
         "card_id":null,
         "bank":null,
         "wallet":"freecharge",
         "vpa":null,
         "email":"gaurav.kumar@example.com",
         "contact":"9123456780",
         "notes":{
            "merchant_order_id":"order id"
         },
         "fee":12,
         "tax":2,
         "error_code":null,
         "error_description":null,
         "created_at":1487348129
      },
      {
         "id":"pay_19btGlBig6xZ2f",
         "entity":"payment",
         "amount":500,
         "currency":"INR",
         "status":"captured",
         "order_id":null,
         "invoice_id":null,
         "international":false,
         "method":"card",
         "amount_refunded":0,
         "refund_status":null,
         "captured":true,
         "description":"Purchase Description",
         "card_id":"card_12abClEig3hi2k",
         "bank":null,
         "wallet":null,
         "vpa":null,
         "email":"saurav.kumar@example.com",
         "contact":"9988776655",
         "notes":{
            "merchant_order_id":"order id"
         },
         "fee":12,
         "tax":2,
         "error_code":null,
         "error_description":null,
         "created_at":1400826750
      }
   ]
}

Token Expiry🔗

All codes and tokens expire after a fixed period of time. While the authorization_code and access_token are short lived, refresh_token has long expiry TTLs.

If an expired access_token is used, the API will respond with a HTTP 401 status. Access tokens can be exchanged for a new access_token and refresh_token.

Note:

Currently, access token is valid for 90 days, this time limit will be reduced to 30 mins in near future, due to security issues. To reduce future changes, you are advised to generate access token every 30 mins or before.
Refresh tokens have a 6-month expiry period.
You must check the expiration date of the old refresh token and ensure that a new refresh token is generated before that time to keep the refresh token alive indefinitely.
If a refresh token has expired, you will need to take approval from the user again or contact Razorpay Support team to generate a new access_token and refresh_token pair.

Refresh Tokens🔗

As explained above, refresh tokens can be used to generate a new access token. In case your access token expires, you will receive a 4XX response from the API. You can make a request using your refresh token to generate a new (access_token, refresh_token) pair.

Refer the following API request on how to request a new token:

https://auth.razorpay.com/token

Note::
This request must be made from the application's backend server.

Request🔗

The following parameters should be sent in the request:

client_id: Unique client identifer.
client_secret: Client secret string.
grant_type: The type of grant for the request. This should be set to refresh_token.
refresh_token: The refresh token value that was previously stored.

Response🔗

The server will respond with the following parameters:

token_type: Defines the type of access token. This will be set to Bearer.
expires_in: Integer representing the TTL of the access token in seconds.
access_token: Used to access merchant resources on Razorpay. access_token is a private token and should only be used for server-to-server calls.
public_token: A token used only for public routes such as Checkout or Payments. A sample public token will have the following format: rzp_test_oauth_32hsbEKriO6ai4.
refresh_token: New refresh token. The old refresh token will be expired automatically from this point.

 Example Request Example Response
Copy
curl -H "Content-type: application/json" -XPOST https://auth.razorpay.com/token
-d '{
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>",
  "grant_type": "refresh_token",
  "refresh_token": "def5020096e1c470c901d34cd60fa53abdaf3662sa0"
}
Copy{
    "public_token": "rzp_test_oauth_9xu1rkZqoXlClS",
    "token_type": "Bearer",
    "expires_in": 7862400,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijl4dTF",
    "refresh_token": "def5020096e1c470c901d34cd60fa53abdaf36620e823ffa53"
}