Authorization and Technical Requirements

This chapter contains information regarding authorizations in communications with the InPost Pay app, and the configuration of the Merchant's account, and generating access (client_id and client_secret).


To authenticate customer communications with InPost Pay (Basket App), the OAuth 2.0 standard is used. In the case of service to service communications – without the logged user context, client_credentials flow a OAuth is used (

  • The Merchant receives their client_id and client_secret

  • The Merchant generates client_id and client_secret for the production environment through the Merchant's panel according to the manual.

  • The Merchant receives client_id and client_secret for the sandbox environment from InPost upon notifying through the contact form according to the manual.

  • They collect an access token

  • They sign each request. The access token should be provided in the header Authorization: Bearer W-TYM-MIEJSCU-NALEZY-UMIESCIC-TOKEN

  • The resource server verifies the token, and identifies the customer

All the requests sent to the server require entering the right and valid access token, which belongs to the particular User.

The token generated has a specified validity (as defined in expires_in, which is returned together with the token), and it is not necessary to download a new token at each request.

The token endpoint is fixed, and can be a configuration parameter on the customer's side:


Token Collection:


curl --location '' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=sandbox' \ --data-urlencode 'client_secret=qwertyuiop' \ --data-urlencode 'grant_type=client_credentials'


{ "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiw...", "expires_in": 300, "refresh_expires_in": 0, "token_type": "Bearer", "not-before-policy": 0, "scope": "api:inpostpay" }



Example implementation in PHP

  • We create the interface of the service, which will make it possible to download the bearer access token.

    <?php declare(strict_types=1); namespace Iteo\InpostPayClient\Client; use Iteo\InpostPayClient\SDK\Core\Exceptions\InpostPayEndpointException; /** * Interface used for creating bearer token, needed to communication with Inpost Pay. */ interface InpostPayBearerServiceInterface { /** * Method that creating bearer access token for given merchant credentials. * * @return string Bearer access token * * @throws InpostPayEndpointException */ public function getBearerToken(): string; }

  • We create an exception, which will be returned in the case of a failed token download.

  • We create an implementation of the service, which downloads an access token using the getBearerToken method.



The configuration of the Merchant's account - production environment

In order to access the production environment, sign a Contract for Handling and Settling Transactions. If you haven't signed the contract yet, get in touch with your InPost sales representative or use the form included in the section "For Business" in the tab "InPost Pay 'Offer".

After signing the Contract log in to the site using the login data within the Parcel Manager (a system for handling InPost's logistical contracts).

Attention! All the information must be completed to generate access rights (Client_ID and Client_Secret) for the production environment of the InPost Pay service.


The configuration of the Merchant's account- sandbox environment

In order to gain access to the Sandbox environment, complete and send the Contact form by using the option Dla Biznesu and the Sandbox tab.

For the needs of the tests, we also make our InPost Mobile test applications available:

Make sure that, before starting the tests, make sure that you have the app's latest version.


Technical requirements on the Merchant's side

Outgoing traffic from InPost to the Merchant for InPost's Proxy IP,