Token Based Authentication

To meet PCI DSS authentication and access control standards, Su has implemented Token-Based Authentication for all API access. This mechanism replaces static credential usage with short-lived access tokens, reducing credential exposure and improving overall security posture.

UPDATE NOTICE

We have launched a new Token-based Authentication mechanism, which is active on Production.

Generate Access Token

This endpoint is used to generate an access token required for authenticating.

Endpoint

GET

https://connect-sandbox.su-api.com/SUAPI/jservice/auth/generate-access-token

Header

client-id: base64_encode(domain)
client-secret: (you can generate from extranet) 

Header	Type	Required	Description
client-id	string	Yes	Base64-encoded domain name
client-secret	string	Yes	Client secret key

Note on Generating Access Token:

1. The client-id remains the same for both Sandbox and Production environments.

2. The client-secret differs between the Sandbox and Production accounts.

3. Access tokens generated for the Sandbox environment are prefixed with "sandbox_".

4. Access tokens generated for the Production environment are prefixed with "live_".

5. Tokens for Sandbox and Production are distinct and cannot be used interchangeably.

---

Success Response - For Production

{
    "Status": "Success",
    "Data": {
        "token_type": "Bearer",
        "token": "live_eyJpdiI6IlI1NGR6dndiRTNpci9lcGRZSm8wMXc9PSIsInZhbHVlIjoidEI1NW1SVVNQclFqa0VLRE43aUVXT21YL24yTzViSHRMTHJTYnQ3S2xhYzJ6TFZlMFI0R21oNHZEcHk4M0JuYytvQ3I3NnowL1FsaTNvNkxmbno0UFRSaTVEcjRmMmNNSysvZ29aNzQvNi82QjV4TVhWRTdsbHRybGtWeEJ5MXZYSkJVbjJIL2xHVkRrOGdKcjZnN1lRPT0iLCJtYWMiOiJjNjE5NjI5NTZjNjAwYmQ0NTM1MjBiMjhkNTcxOWFmNzUzMjQzMDBkMDU1ZTE1OGVmY2YyMmM5NmRiNzFkM2YxIiwidGFnIjoiIn0=",
        "expire_in": "3600"
    },
    "Message": "Access Token generated successfully"
}

Success Response - For Sandbox

{
    "Status": "Success",
    "Data": {
        "token_type": "Bearer",
        "token": "sandbox_eyJpdiI6InVTL013bmlpc3VMZVVISmxqNldMMVE9PSIsInZhbHVlIjoiS05nVTVWQ1oxNVVQdk1hWHViZjlUbVRIc0owbjJWdnV1UW1tNlFRN0xjRTlVL0ZRQ093Rjd0SmtZay9kUTJ0dlRlOWl2K2VpZ2Q4MUVuUDhBb3hNQW1XeE81YzA4MXpmZmNDVHk4N0hSV0NCNGRrbXkrLytrS3A1cUtTSHdWWmYyYTY5SXVDNnFoTVdYSVIvalNneTdnPT0iLCJtYWMiOiJhOGUyOWUyNjMwYzE5MjI5MGMwNTI0OTk2Y2Q4ZmQzM2M1NjJmMDAzMjI3NzJjMjYyNmY1ZDQxOTJmNDU2ZWE2IiwidGFnIjoiIn0=",
        "expire_in": "3600"
    },
    "Message": "Access Token generated successfully"
}

---

Response Body Parameters

Status string

Indicates Success whether the token generation was successful.

---

Data object

Contains the access token details.

---

token_type string

Type of token. Always Bearer.

---

token string

The actual access token to be used in the Authorization header.

---

expire_in string

Token expiry duration in seconds.

---

Message string

Message indicating the result of the token generation request.

---

Use the Generated Access Token for each API Request

All API requests must include the generated access token in the Authorization header.

Header

When making authenticated API calls, generated Access Token must be provided using the Authorization header in the format below:

Authorization: Bearer <access_token>

The <access_token> varies depending on whether you're working with the Production or Sandbox environment.

Notes:

1. The Authorization header must use the Bearer prefix (For example, Bearer <token>), not Basic.

2. Access tokens are different for each environment (sandbox and production).

3. If the token is invalid or expired, the API will respond with an “Authorization Required” error.

4. Access Tokens are valid for 60 minutes and must be regenerated after expiration

5. A maximum of 30 tokens can be generated simultaneously within a 60-minute window

---

1. Production Environment Token

Authorization: Bearer live_<token_string> // required

• Access Tokens prefixed with live_ are specific to the production environment.

• These tokens are valid only for production API endpoints.

• Example:

Authorization: Bearer live_eyJpdiI6IlI1NGR6dndiRTNpci9lcGRZSm8wMXc9PSIsInZhbHVlIjoidEI1NW1SVVNQclFqa0VLRE43aUVXT21YL24yTzViSHRMTHJTYnQ3S2xhYzJ6TFZlMFI0R21oNHZEcHk4M0JuYytvQ3I3NnowL1FsaTNvNkxmbno0UFRSaTVEcjRmMmNNSysvZ29aNzQvNi82QjV4TVhWRTdsbHRybGtWeEJ5MXZYSkJVbjJIL2xHVkRrOGdKcjZnN1lRPT0iLCJtYWMiOiJjNjE5NjI5NTZjNjAwYmQ0NTM1MjBiMjhkNTcxOWFmNzUzMjQzMDBkMDU1ZTE1OGVmY2YyMmM5NmRiNzFkM2YxIiwidGFnIjoiIn0=

---

2. Sandbox Environment Token

Authorization: Bearer sandbox_<token_string>

• Access Tokens prefixed with sandbox_ are specific to the sandbox/test environment.

• These cannot be used with production endpoints.

• Example:

  Authorization: Bearer sandbox_eyJpdiI6InVTL013bmlpc3VMZVVISmxqNldMMVE9PSIsInZhbHVlIjoiS05nVTVWQ1oxNVVQdk1hWHViZjlUbVRIc0owbjJWdnV1UW1tNlFRN0xjRTlVL0ZRQ093Rjd0SmtZay9kUTJ0dlRlOWl2K2VpZ2Q4MUVuUDhBb3hNQW1XeE81YzA4MXpmZmNDVHk4N0hSV0NCNGRrbXkrLytrS3A1cUtTSHdWWmYyYTY5SXVDNnFoTVdYSVIvalNneTdnPT0iLCJtYWMiOiJhOGUyOWUyNjMwYzE5MjI5MGMwNTI0OTk2Y2Q4ZmQzM2M1NjJmMDAzMjI3NzJjMjYyNmY1ZDQxOTJmNDU2ZWE2IiwidGFnIjoiIn0=