# How to get the token *** While there are a few ways to get a token, here are examples using both the [Postman app](#postman) and a [cURL](#curl) command. Your own environment's HTTP library or function may have `username` and `password` fields or an auth parameter in which you pass your client ID and secret. You can also add your Base64 encoded client ID and secret in an `Authorization: Basic` header. *** ### Postman To generate REST API credentials for the sandbox and live environments: 1. Download [Postman](https://www.postman.com/downloads/) for your environment. 2. In Postman, select the `POST` method. 3. Enter the `https://sandbox.smartfastpay.com/oauth2/token` request URL. 4. On the **Authorization** tab, select the **Basic Auth** type.\ Type your client ID in the **Username** box, and type your secret in the **Password** box. 5. Click **Send**. In exchange for these credentials, the SmartFastPay authorization server returns your access token in the access\_token field: {% hint style="info" %} **Response** {% endhint %} ```bash { "requestId": "a2435636-5f69-447d-8e22-8382f62ef7dd", "data": { "access_token": "", "token_type": "Bearer", "expires_in": 3600 } } ``` Include this bearer token in the Authorization header with the Bearer authentication scheme in REST API calls to prove your identity and access protected resources. This sample request includes a bearer token: ```bash curl -v --location --request POST 'https://sandbox.smartfastpay.com/transaction/checkout' \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " ``` Access tokens have a finite lifetime. The `expires_in` field contains the number of seconds after which the token expires. For example, an access token with an expiry value of `3600` expires in one hour from when the response was generated. In general, access tokens have a life of 15 minutes or eight hours depending on the scopes associated. To detect when an access token expires, write code to either: * Keep track of the `expires_in` value in the token response. * Handle the HTTP `401 Unauthorized` status code. The API endpoint issues this status code when it detects an expired token. Re-use the access token until it expires. Then, get a new token.
*** ### cURL 1. Download [cURL](https://curl.haxx.se/download.html) for your enviroment. > **Note:** On Windows, use a Bash shell to make cURL calls. 2. Run this command, where `client_id` is your client ID and `secret` is your secret: ```bash curl -v --location --request POST 'https://sandbox.smartfastpay.com/oauth2/token' \ --header 'Content-Type: application/json' \ --header 'Authorization: Basic ' ``` > **Note:** If you use a command-line tool other than cURL, set the `Accept` header to `application/x-www-form-urlencoded.` In exchange for these credentials, the SmartFastPay authorization server returns your access token in the `access_token` field: ```bash { "requestId": "a2435636-5f69-447d-8e22-8382f62ef7dd", "data": { "access_token": "", "token_type": "Bearer", "expires_in": 3600 } } ``` Include this bearer token in the `Authorization` header with the `Bearer` authentication scheme in REST API calls to prove your identity and access protected resources. This sample request includes a bearer token: ```bash curl -v --location --request GET 'https://sandbox.smartfastpay.com/transactions/' \ --header "Content-Type: application/json" \ --header "Authorization: Bearer " ``` Access tokens have a finite lifetime. The `expires_in` field contains the number of seconds after which the token expires. For example, an access token with an expiry value of `3600` expires in one hour from when the response was generated. In general, access tokens have a life of 15 minutes or eight hours depending on the scopes associated. To detect when an access token expires, write code to either: * Keep track of the `expires_in` value in the token response. * Handle the HTTP `401 Unauthorized` status code. The API endpoint issues this status code when it detects an expired token. Re-use the access token until it expires. Then, get a new token.