View Categories

Client Authentication

Table of Contents

πŸ” OAuth 2.0 mTLS β€” Token API #

Gateway Path: /connect/mtls/token
Host (test): https://auth-test.10npay.com
Service: Identity / Authorization Server
Method: POST
Auth: Mutual-TLS (mTLS) using a client X.509 certificate + form params

1) πŸ“– Overview & Purpose #

Issues an OAuth 2.0 access token for server-to-server calls using mutual TLS.
After a commercial agreement, a client certificate is generated and bound to your OAuth client. You can then request tokens using the Merchant Portal’s pre-generated cURL command (downloadable there), or by integrating programmatically.

πŸ” The private key stays with the client. 10nPayments does not know or store your private key.

2) πŸ”— Endpoint Definition #

HTTP: POST https://auth-test.10npay.com/connect/mtls/token
Content-Type: application/x-www-form-urlencoded

Required TLS #

  • Present the client certificate during the TLS handshake (mTLS).

  • The certificate must match the client registered in the Authorization Server.

Form Fields #

Field Type Required Notes
client_id string βœ” OAuth client identifier assigned to you.
grant_type string βœ” Typically client_credentials for mTLS service-to-service. (If your tenant is explicitly configured for password grant, set password and include username & password fields.)
scope string βœ” Space-separated scopes (e.g., Tenn.CRM IdentityServerApi Tenn.RiskService Tenn.FileStorage).
IdentityServer:MTLS:X509Certificate string βœ” Thumbprint of the presented client cert (uppercase hex, no spaces).
username string βœ– Only when grant_type=password.
password string βœ– Only when grant_type=password.

ℹ️ Some client profiles may also require Basic auth: Authorization: Basic base64(client_id:client_secret). If your Merchant Portal cURL includes -u client:secret, keep it. If not, mTLS + form fields are sufficient.

3) πŸ“‘ Responses #

βœ… 3.1 Success β€” 200 OK #

Copy Code 


{
    "access_token": "{token}",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "IdentityServerApi Tenn.CRM Tenn.FileStorage Tenn.Payment Tenn.RiskService"
}

  • access_token β€” Bearer token for subsequent API calls.

  • expires_in β€” Lifetime in seconds.

  • token_type β€” Always Bearer.

  • scope β€” Granted scopes (space-separated).

❌ 3.2 Error (examples) #

Copy Code 


{
    "error": "invalid_grant",
    "error_description": "The user name or password is incorrect."
}

Other possible errors: invalid_client, invalid_request, unauthorized_client.
HTTP status codes reflect the failure (e.g., 400/401/403).

4) πŸ›‘ Security & Operational Notes #

  • Certificate lifecycle: The client certificate is issued once after agreement and bound to your OAuth client. Rotate only through official channels.

  • Merchant Portal: Provides a ready-to-use cURL template that includes all required fields and, when applicable, Basic auth.

  • Form encoding: Use application/x-www-form-urlencoded; do not collapse the IdentityServer:MTLS:X509Certificate key with its valueβ€”send it as key=value.

  • Storage: Keep tokens securely; never log secrets or long-lived tokens.

  • Scopes: Request only the scopes you need. Excess scopes may be rejected.

5) πŸ’» Examples #

5.1 cURL (mTLS + client_credentials) #

Copy Code 


curl --location 'https://auth-test.10npay.com/connect/mtls/token' \ --cert /path/to/client-cert.pem \ --key /path/to/client-key.pem \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=Finny_Mtls' \ --data-urlencode 'grant_type=client_credentials' \ --data-urlencode 'scope=Tenn.CRM IdentityServerApi Tenn.RiskService Tenn.FileStorage' \ --data-urlencode 'IdentityServer:MTLS:X509Certificate=34AEC57CB3BB60FC869970D00D7FB9FDC8FA46DB'

If your Merchant Portal export includes Basic auth, add:
-u <client_id>:<client_secret> and omit client_id from the body if instructed.

5.2 .NET (HttpClient with client certificate) #

Copy Code 


using System.Net.Http; using System.Net.Http.Headers; using System.Security.Cryptography.X509Certificates; using System.Collections.Generic; var handler = new HttpClientHandler(); handler.ClientCertificates.Add(new X509Certificate2("/path/to/client-cert.pfx", "pfxPassword")); using var http = new HttpClient(handler); var form = new FormUrlEncodedContent(new Dictionary<string,string> { ["client_id"] = "Finny_Mtls", ["grant_type"] = "client_credentials", ["scope"] = "Tenn.CRM IdentityServerApi Tenn.RiskService Tenn.FileStorage", ["IdentityServer:MTLS:X509Certificate"] = "34AEC57CB3BB60FC869970D00D7FB9FDC8FA46DB" }); var res = await http.PostAsync("https://auth-test.10npay.com/connect/mtls/token", form); res.EnsureSuccessStatusCode(); var json = await res.Content.ReadAsStringAsync();

5.3 Password grant (only if explicitly enabled) #

Copy Code 


curl --location 'https://auth-test.10npay.com/connect/mtls/token' \ --cert /path/to/client-cert.pem \ --key /path/to/client-key.pem \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=YourClient' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=john.doe' \ --data-urlencode 'password=*******' \ --data-urlencode 'scope=IdentityServerApi' \ --data-urlencode 'IdentityServer:MTLS:X509Certificate=THUMBPRINT'

Powered by BetterDocs

All rights reserved.Β©