API Authentication

Authentication process for Sandbox APIs

Authentication on Sandbox APIs

Once you start your subscription, Sandbox will provide you with a unique API key and secret that is accessible from your dashboard. The authentication flow consists of exchanging the key and secret for a JWT access_token. This is done using the Authenticate API.

Users can then pass the access_token along with their key in request headers to make the API calls. Note that the access_token has a validity of 24 hours, post which it will expire.

You can refresh the access_token by calling the Authorize API. You can keep refreshing every 24 hours for up to 365 days, after which you need to acquire new access_token by calling the Authenticate API again.


Suppose an access_token is generated using the Authenticate API (Token A) on 01-01-2023 00:00:00 am, The validity of Token A is 24 hours (until 02-01-2023 00:00:00 am), which is refreshable for up to 365 days. (01-01-2024 00:00:00 am)

When Token A expires, you use the Authorize API to refresh the token. The refreshed token (Token B), is once again valid for 24 hours, and refreshable up to 364 days (01-01-2024 00:00:00 am), while Token A has now expired.

If Token A is used after calling the Authorize API, the API will respond back with 403: Access revoked, if Token A is not yet expired.


key_live is used to make production calls whereas key_test is for test-environment.

Access API Key & Secret from Sandbox Dashboard

  1. Login to Sandbox Dashboard.
  2. Select the Subscription
  3. Go to the API Key tab.
  4. You will be able to see Live and Test Keys associated with your subscription. You will have to reveal the secret key to access it.