Authentication

The Partner API utilizes JWT (JSON Web Tokens) to ensure secure communication. Every request must be authenticated via an Authorization header containing a valid Bearer token.

Obtaining a Token

Partner clients must exchange their encrypted SECRET for a short-lived token via the POST /auth/token endpoint.

ℹ️

Heads Up: Your tokens are valid for 1 hour (ask for more if needed). It is strictly recommended to design your clients to refresh tokens proactively before they expire to avoid service disruption.

Example Request

bash

curl -X POST {BASE_URL}/auth/token \
  -H "Content-Type: application/json" \
  -H "X-Timestamp : 1774922941924" \
  -d '{
    "identity": "partner-123",
    "secret"  : "Hh4bLUkb..."
  }'

ℹ️

Access Credentials

Treasury will provide your unique identity, password and encryption key during the onboarding of your partner account.

Response

Sample Response (200 OK)

json

{
  "code": 200,
  "data": {
    "token"     : "ey...",
    "expired_at": "2026-01-02T12:00:00+07:00"
  }
}

How to generate your secret and timestamp

python

import time
import base64
import requests
from cryptography.hazmat.primitives.ciphers.aead import AESGCM

def encrypt(data: str, key: str, iv: str) -> str:
    KEY_LEN    = 32
    IV_LEN     = 12
    key_bytes  = key.encode()
    iv_bytes   = iv.encode()
    data_bytes = data.encode()

    if len(key_bytes) != KEY_LEN:
        raise ValueError(f"invalid key length: expected {KEY_LEN} bytes, got {len(key_bytes)}")

    if len(iv_bytes) not in (IV_LEN, 16):
        raise ValueError(f"invalid iv length: expected {IV_LEN} or 16 bytes, got {len(iv_bytes)}")

    try:
        aesgcm = AESGCM(key_bytes)
    except Exception as e:
        raise ValueError(f"cipher initialization failed: {e}")

    try:
        ciphertext = aesgcm.encrypt(iv_bytes, data_bytes, None)
    except Exception as e:
        raise ValueError(f"encryption failed: {e}")

    return base64.b64encode(ciphertext).decode()


identity       = 'your_identity_here'
password       = 'your_password_here'
encryption_key = 'your_encryption_key_must_32chars'
timestamp_ms   = int(time.time() * 1000)
secret         = encrypt(password, encryption_key, str(timestamp_ms)[:12])

url    = '{BASE_URL}/auth/token'
header = {
    'Content-Type': 'application/json',
    'X-Timestamp' : f'{timestamp_ms}',
}
body = {
    'identity': identity,
    'secret'  : secret
}

response = requests.post(url, headers=header, json=body)
print(f'status: {response.status_code}')
print(f'body  : {response.text}')

Dependencies

bash

pip install requests
pip install cryptography

The Authorization Header

Insert the retrieved token into your HTTP requests like so:

http

Authorization: Bearer eyJhbGciOiJIUzI...

IP Whitelisting

To protect our API, all traffic is restricted by IP whitelisting. Requests originating from non-whitelisted IP addresses will be immediately rejected with a 403 Forbidden status code, regardless of JWT validity.