Authorization and Technical Requirements
This chapter contains information regarding authorizations in communications with the InPost Pay app, and the configuration of the Merchant's account, and generating access (client_id and client_secret).
Authorization
To authenticate customer communications with InPost Pay (Basket App), the OAuth 2.0 standard is used. In the case of service to service communications – without the logged user context, client_credentials flow a OAuth is used (https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/).
The Merchant receives their
client_idandclient_secret
The Merchant generates client_id and client_secret for the production environment through the Merchant's panel according to the manual.
The Merchant receives client_id and client_secret for the sandbox environment from InPost upon notifying through the contact form according to the manual.
They collect an access token
They sign each request. The access token should be provided in the header
Authorization: Bearer W-TYM-MIEJSCU-NALEZY-UMIESCIC-TOKENThe resource server verifies the token, and identifies the customer
All the requests sent to the server require entering the right and valid access token, which belongs to the particular User.
The token generated has a specified validity (as defined in expires_in, which is returned together with the token), and it is not necessary to download a new token at each request.
The token endpoint is fixed, and can be a configuration parameter on the customer's side:
Production environment
https://login.inpost.pl/auth/realms/external/protocol/openid-connect/tokenSandbox environment
https://sandbox-login.inpost.pl/auth/realms/external/protocol/openid-connect/token
Token Collection:
Request
curl --location 'https://sandbox-login.inpost.pl/auth/realms/external/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=sandbox' \
--data-urlencode 'client_secret=qwertyuiop' \
--data-urlencode 'grant_type=client_credentials'Response
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiw...",
"expires_in": 300,
"refresh_expires_in": 0,
"token_type": "Bearer",
"not-before-policy": 0,
"scope": "api:inpostpay"
}
Example implementation in PHP
We create the interface of the service, which will make it possible to download the bearer access token.
<?php declare(strict_types=1); namespace Iteo\InpostPayClient\Client; use Iteo\InpostPayClient\SDK\Core\Exceptions\InpostPayEndpointException; /** * Interface used for creating bearer token, needed to communication with Inpost Pay. */ interface InpostPayBearerServiceInterface { /** * Method that creating bearer access token for given merchant credentials. * * @return string Bearer access token * * @throws InpostPayEndpointException */ public function getBearerToken(): string; }
We create an exception, which will be returned in the case of a failed token download.
We create an implementation of the service, which downloads an access token using the getBearerToken method.
To use OAuth 2.0, the library was used https://packagist.org/packages/league/oauth2-client?query=https%3A%2F%2Fpackagist.org%2Fpackages%2Fleague%2Foauth2-client%3Ftype%3Dcontao-module%26page%3D40&type=contao-module#2.7.0
The configuration of the Merchant's account - production environment
In order to access the production environment, sign a Contract for Handling and Settling Transactions. If you haven't signed the contract yet, get in touch with your InPost sales representative or use the form included in the section "For Business" in the tab "InPost Pay 'Offer".
After signing the Contract log in to the https://merchant.inpost.pl/ site using the login data within the Parcel Manager (a system for handling InPost's logistical contracts).
Attention! All the information must be completed to generate access rights (Client_ID and Client_Secret) for the production environment of the InPost Pay service.
The configuration of the Merchant's account- sandbox environment
In order to gain access to the Sandbox environment, complete and send the Contact form by using the option Dla Biznesu and the Sandbox tab.
For the needs of the tests, we also make our InPost Mobile test applications available:
install iOS by downloading the app using the link
https://testflight.apple.com/join/ey6Yherdinstall Android by downloading from the link
https://appdistribution.firebase.dev/i/177826c78050da8e
Make sure that, before starting the tests, make sure that you have the app's latest version.
Technical requirements on the Merchant's side
Outgoing traffic from InPost to the Merchant for InPost's Proxy IP 34.118.93.24, 34.116.145.216.