Authorization
The Convenient Checkout API uses OAuth 2.0 for authorization. This document describes the authentication flow and available scopes.
OAuth 2.0 Gateway
| Gateway | OAuth2 Type | Flow Type | Token URL |
|---|---|---|---|
| gateway | OAuth2 | clientCredentials | https://api.uhg.com/oauth2/token |
Available Scopes
| Scope | Environment | Description |
|---|---|---|
https://api.uhg.com/.default | All | Default scope assigned to all clients |
financial/commerce/checkout:all | Production | Full scope |
financial/commerce/checkout:merchant | Production | Merchant scope |
financial/commerce/checkout:merchant-wallet-management | Production | Merchant wallet management scope |
financial/commerce/checkout:merchant-pci | Production | Merchant PCI scope |
financial/commerce/nonprodcheckout:all | Non-production | Full scope |
financial/commerce/nonprodcheckout:merchant | Non-production | Merchant scope |
financial/commerce/nonprodcheckout:merchant-wallet-management | Non-production | Merchant wallet management scope |
financial/commerce/nonprodcheckout:merchant-pci | Non-production | Merchant PCI scope |
OAuth 2.0 Client Credentials Flow
The Client Credentials flow is used for server-to-server API requests where a front-end user is not present. This is typically used for backend integrations with the Convenient Checkout API.
Steps to Acquire an Access Token
- Make a POST request to the token endpoint:
https://api.uhg.com/oauth2/token - Include the following parameters:
grant_type: Must beclient_credentialsscope: Space-separated list of requested scopesclient_id: Your application's client IDclient_secret: Your application's client secret
Example Request
POST v1/oauth2/token HTTP/1.1
Host: api.uhg.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&scope=financial/commerce/checkout:merchant-wallet-management financial/commerce/nonprodcheckout:merchant-wallet-management
&client_id=your-client-id
&client_secret=your-client-secret
Example Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "financial/commerce/checkout:merchant-wallet-management financial/commerce/nonprodcheckout:merchant-wallet-management"
}
Using the Access Token
Once you have obtained an access token, include it in the Authorization header of your API requests:
GET v1/api/v1/convenient-checkout/resource HTTP/1.1
Host: api.uhg.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Best Practices
- Token Storage: Store access tokens securely and never expose them to clients
- Token Refresh: Implement token refresh logic before the access token expires
- Scope Management: Request only the scopes needed for your application
- Production vs. Non-Production: Be aware of the environment-specific scopes
- Error Handling: Implement proper error handling for authorization failures