API Authentication Guide
This API uses a standard OAuth 2.0 flow with Client Credentials Grant. To access protected resources, you must first obtain an access token and provide it in the Authorization header using the Bearer schema.
1. Base URLs
| Environment | Base URL | Description |
|---|---|---|
| Sandbox | https://sandbox.bmgmoney.com |
For testing and integration development. |
| Production | https://api.bmgmoney.com |
For live application requests. |
2. Generating an Access Token
To generate a token, you must make a POST request to the authentication endpoint using your client_id and client_secret encoded in Base64.
Endpoint
POST /oauth/access-token
Request Headers
| Header | Value | Description |
|---|---|---|
Authorization |
Basic <Base64(ClientID:ClientSecret)> |
The string ClientID:ClientSecret encoded in Base64. |
Content-Type |
application/x-www-form-urlencoded |
Required content type. |
Request Body
| Parameter | Type | Value | Description |
|---|---|---|---|
grant_type |
string |
client_credentials |
The grant type for server-to-server authentication. |
Example Request (cURL)
curl --location 'https://sandbox.bmgmoney.com/oauth/v1/access-token' \
--header 'Authorization: Basic MmZkZmFiODQtMjUzZi00NjM4LWFiZWYtMWMyZWY1YjJkYTZkOjBkZTRiM2FiLWVmNmEtNGRiZC1hODMyLTczN2Y1NjBhNjhiMQ==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials'
Response Example
{
"access_token": "ZWFkYjgxNDctNjQwNC1YWFhYLTExMTEtNWNlNTJlYmMyOThjOmE5MTQ0MjZlLWE4NjgtOTk5OS04YjVmLTQ0N2FhNzRjOTgyYg==",
"token_type": "Bearer",
"expires_in": 1200
}
3. Authenticating API Requests
Once you have the access_token, you must include it in the Authorization header of your subsequent API calls with the prefix Bearer.
Required Headers
| Header | Value | Description |
|---|---|---|
Authorization |
Bearer <access_token> |
The token string returned in the previous step. |
Content-Type |
application/json |
Standard content type for API requests. |
Example Request (cURL)
curl --location 'https://sandbox.bmgmoney.com/law' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ZWFkYjgxNDctNjQwNC1YWFhYLTExMTEtNWNlNTJlYmMyOThjOmE5MTQ0MjZlLWE4NjgtOTk5OS04YjVmLTQ0N2FhNzRjOTgyYg=='
4. Error Handling
Common authentication errors you might encounter:
| HTTP Status | Reason | Description |
|---|---|---|
| 401 Unauthorized | Invalid Token | The Bearer token is invalid, expired, or missing. |
| 403 Forbidden | Access Denied | The credentials used to generate the token do not have permission to access this resource. |
| 400 Bad Request | Invalid Grant | The grant_type is missing or incorrect in the token generation step. |