API ReferenceIntegrationsKnowledge Base

Accessing Resources

Once an access token is obtained, it can be used to access merchant's data on Razorpay APIs. The access is controlled based on the scope requested for and granted by the user during authorization.

Bearer Authorization🔗

The access token needs to be provided in the Bearer Authorization header while requesting Razorpay APIs.

Copycurl -XGET https://api.razorpay.com/v1/payments -H "Authorization: Bearer <YOUR_ACCESS_TOKEN>"
Copycurl -XGET https://api.razorpay.com/v1/payments -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjlUNVV.ZeVJzQTlNY3c5In0eyJhdW"
Copy{ "count":2, "entity":"collection", "items":[ { "id":"pay_7IZD7aJ2kkmOjk", "entity":"payment", "amount":29900, "currency":"INR", "status":"captured", "order_id":null, "invoice_id":null, "international":false, "method":"wallet", "amount_refunded":0, "refund_status":null, "captured":true, "description":"Purchase Description", "card_id":null, "bank":null, "wallet":"freecharge", "vpa":null, "email":"gaurav.kumar@example.com", "contact":"9123456780", "notes":{ "merchant_order_id":"order id" }, "fee":12, "tax":2, "error_code":null, "error_description":null, "created_at":1487348129 }, { "id":"pay_19btGlBig6xZ2f", "entity":"payment", "amount":500, "currency":"INR", "status":"captured", "order_id":null, "invoice_id":null, "international":false, "method":"card", "amount_refunded":0, "refund_status":null, "captured":true, "description":"Purchase Description", "card_id":"card_12abClEig3hi2k", "bank":null, "wallet":null, "vpa":null, "email":"saurav.kumar@example.com", "contact":"9988776655", "notes":{ "merchant_order_id":"order id" }, "fee":12, "tax":2, "error_code":null, "error_description":null, "created_at":1400826750 } ] }

Token Expiry🔗

All codes and tokens expire after a fixed period of time. While the authorization_code and access_token are short lived, refresh_token has long expiry TTLs.

If an expired access_token is used, the API will respond with a HTTP 401 status. Access tokens can be exchanged for a new access_token and refresh_token.

Note:

  • Currently, access token is valid for 90 days, this time limit will be reduced to 30 mins in near future, due to security issues. To reduce future changes, you are advised to generate access token every 30 mins or before.
  • Refresh tokens have a 6-month expiry period.
  • You must check the expiration date of the old refresh token and ensure that a new refresh token is generated before that time to keep the refresh token alive indefinitely.
  • If a refresh token has expired, you will need to take approval from the user again or contact Razorpay Support team to generate a new access_token and refresh_token pair.

Refresh Tokens🔗

As explained above, refresh tokens can be used to generate a new access token. In case your access token expires, you will receive a 4XX response from the API. You can make a request using your refresh token to generate a new (access_token, refresh_token) pair.

Refer the following API request on how to request a new token:

https://auth.razorpay.com/token

Note::
This request must be made from the application's backend server.

Request🔗

The following parameters should be sent in the request:

client_id
Unique client identifer.
client_secret
Client secret string.
grant_type
The type of grant for the request. This should be set to refresh_token.
refresh_token
The refresh token value that was previously stored.

Response🔗

The server will respond with the following parameters:

token_type
Defines the type of access token. This will be set to Bearer.
expires_in
Integer representing the TTL of the access token in seconds.
access_token
Used to access merchant resources on Razorpay. access_token is a private token and should only be used for server-to-server calls.
public_token
A token used only for public routes such as Checkout or Payments. A sample public token will have the following format: rzp_test_oauth_32hsbEKriO6ai4.
refresh_token
New refresh token. The old refresh token will be expired automatically from this point.
Copy curl -H "Content-type: application/json" -XPOST https://auth.razorpay.com/token -d '{ "client_id": "<YOUR_CLIENT_ID>", "client_secret": "<YOUR_CLIENT_SECRET>", "grant_type": "refresh_token", "refresh_token": "def5020096e1c470c901d34cd60fa53abdaf3662sa0" }
Copy{ "public_token": "rzp_test_oauth_9xu1rkZqoXlClS", "token_type": "Bearer", "expires_in": 7862400, "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijl4dTF", "refresh_token": "def5020096e1c470c901d34cd60fa53abdaf36620e823ffa53" }
×