# Merchant Authorization

In order to access GoDaddy Poynt APIs on behalf of the merchant to access their data, you must follow the steps outlined below to obtain the merchant authorization.

Build a GoDaddy Poynt Authorization URL to redirect the merchant (See example below)

e.g. https://poynt.net/applications/authorize?redirect_uri=http%3A%2F%2Fgetdemoapp.com%2Freturn_from_poynt&client_id=urn%3Aaid%3A5b4e9993-c815-4070-9859-35f48e492b4f&context=python-test-script (opens new window)
where redirect_uri is an HTTPS page hosted on your own site that will be called with the OAuth authorization code. (Note that this should match the url you've configured in your application settings)
client_id is your newly created application id starting with urn:aid:
context is any string value that you would like passed to your callback URL, e.g. a session ID or a user ID on your side so you can match it with the authenticated merchant. This is optional.

Redirect the merchant to the GoDaddy Poynt Authorization URL to obtain the necessary permission. The merchant will need to login to provide authorization.

TIP

For development, you can use your own test merchant account to give permission and experiment with the APIs.

The merchant will be prompted to allow access to the resources you specified for your application. If the merchant has already given you permission, the page will automatically redirect to the next step.

TIP

You will need to login with your developer account credentials to see the next steps.
Select the test merchant

Finish the authorization by clicking on Authorize Access

The merchant will be redirected back to your redirect_uri with code, status, context (optional) and merchant's businessId.

NOTE

businessId is a deprecated parameter that has been temporarily kept for backwards compatibility. Use the poynt.biz property inside the JWT.
- status provides information on whether your request has been authorized by the merchant or not.
- code corresponds to a JWT with additional information

Decode the code to get the businessId.

# Sample Code

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3BveW50Lm5ldCIsImlhdCI6MTU4NTY4OTgxNiwiZXhwIjoxNTg1NjkwNzE2LCJzdWIiOiJ1cm46YWlkOjFiMDNhZWQzLTU4MjYtNDE2My05ZDA3LWFhOWFkY2I5NGZlOSIsInBveW50LmJpeiI6ImM5NTgwYzI0LWI2MWUtNGUwZC1hZDI2LTFkZDFkMzk0M2QyYyIsInBveW50LnVpZCI6MzQ0MTUwODN9.gPq58I7MEbOhqoZiQIWHE2GHQTUiKlGmDQ--RpgGgAU4blPXRZgOLLzs5CpiF3-5GIdhJ7nxmBdv_-24s1HRqXS9WmBvKV_ZV0W0gzq5GDtIfuYcxfjVQirzPcXWYaCrGmkJ_yOUH0t4UXKEmyu9CQaVKunAT8sipZFS43rO5yTA6CsNMzse7KIdJo92fe0NVb7OVVHxZk0Jknvs-KlFbA0aCsCa1fBnr_gsf3KgHUnYDdlQ7WcvfpdioGGwlDIXBjlhOa4WtqpeJsQt_vrA7Yph9tJpCrl3V951gloWGp1WjEhJfCdwbFJ-SROWnqRl3A3E-5ojG-7TOj1DlT-Gpg

# Decoded JWT

   {
        "iss": "https://poynt.net",
        "iat": 1585689816,
        "exp": 1585690716,
        "sub": "urn:aid:1b03aed3-5826-4163-9d07-aa9adcb94fe9",
        "poynt.biz": "c9580c24-b61e-4e0d-ad26-1dd1d3943d2c",
        "poynt.uid": 34415083
    }

The JWT is signed and issued by "https://poynt.net" (opens new window), you can check the authenticity by verifying the signature using "https://poynt.net" (opens new window) public key

-----START PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5IF70K9Hc16ZxVWGBmWp
XBbYSzVqL3TkpIuEiUK+5Rrz1S1Uojf1hHtIxNDPXu7FcnNm2QvX3ibTClkgXHsP
y71O/O/bjBWo1EcwjhxN03GKa/WmZMM5E8LIpb9X+D5yKX2jZYPM9wNhpUVMLhUO
fdmS5vb1ihklnPo2lKaochS6aLvDpH5A+frQZ6DS2jGp+hvbcXkof+o8wivYmofR
rIy/heS8RnFIVB+P5sNK4QuxwycYv77weVZIMhjrDf/nxbD5laDzisjDACvi9dw/
n9Rp4Djor5QkMEBITU52SKs9hgIOkM1oEbYHtxrmG/yYDG9bBV04WXKtfgFF2eK+
BwIDAQAB
-----END PUBLIC KEY——

TIP

Use this command to get the current public key openssl s_client -connect poynt.net:443 | openssl x509 -pubkey -noout

To terminate the merchant's poynt.net session, redirect them to https://services.poynt.net/auth/signout?redirect={REDIRECT_URL}

By now, your application should have all the necessary permissions to make API calls on behalf of the merchant.

← Getting an Access Token Making Your First API Call →