How it works
Clients send an access token in the Authorization header.
curl -X GET "https://api.startup-payments.example/v1/payments/pay_123" -H "Authorization: Bearer <token>"Payments example
Authentication
The sample API uses bearer token authentication for all server-to-server requests, with scope-based access across create, read, refund, and webhook access patterns.
Recommended token handling
- Issue tokens per environment and client application.
- Rotate credentials regularly.
- Never expose secret tokens in browser-based flows.
- Store production credentials in a secret manager, not source control.
Authorization model
Typical scopes
- payments:create
- payments:read
- payments:refund
- webhooks:read
Failure mode
Unauthorized requests return structured errors.
Authentication failures should return 401 Unauthorized with a stable error code and a trace identifier so support and client teams can diagnose failures consistently.