GoPay next-gen
Api URLs are built from three parts:
- Environment root
- API version
- Resource endpoint
Environment root is the base URL of the environment to be used - sandbox or production.
- Sandbox root:
https://gw.sandbox.gopay.com - Production root:
https://api.gopay.com
API version is in the format /api/x.y where x is the major version and y is the minor version. For example /api/4.0
Resource endpoint is what resource or operation you are actually targetting and can be found in this documentation. For example the authentication endpoint is /oauth2/token
The final URL is concatenation of these three parts: {environment_root}{api_version}{resource_endpoint}
So to authenticate on the sandbox with API version 4.0, you would POST to
https://gw.sandbox.gopay.com/api/4.0/oauth2/token
Request headers
Only applies to the client_credentials grant type.
Request body
OAUTH2 Grant type. Use client_credentials if you don’t have a refresh token yet
Only applies to the client_credentials grant type. List of values from Scope separated by spaces.
Only applies to the refresh_token grant type. Refresh token value.
Only applies to the refresh_token grant type. Client ID for which the original token was issued.
Responses
Headers
application/json
Body
The access token itself
Scopes of the issued token. Only present when token is refreshed.
POST /api/4.0/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
grant_type=client_credentials
&scope=payment:create payment:read
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIiwKICAia2lkIjogImtleS0yMDI1LTA0Igp9.ewogICJzdWIiOiAiY2xpZW50X2lkXzEyMyIsCiAgInNjb3BlIjogInBheW1lbnRzOnJlYWQgcGF5bWVudHM6d3JpdGUiLAogICJpYXQiOiAxNzEyNjQwMDAwLAogICJleHAiOiAxNzEyNjQzNjAwCn0.bWlrZWhlcmVfaXMtbXktc3VwZXJzZWNyZXQtbGlrZQ",
"token_type": "bearer",
"refresh_token": "efgh"
}POST /api/4.0/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=refresh_token
&refresh_token=efgh
&client_id=1234
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIiwKICAia2lkIjogImtleS0yMDI1LTA0Igp9.ewogICJzdWIiOiAiY2xpZW50X2lkXzEyMyIsCiAgInNjb3BlIjogInBheW1lbnRzOnJlYWQgcGF5bWVudHM6d3JpdGUiLAogICJpYXQiOiAxNzEyNjQ2MDAwLAogICJleHAiOiAxNzEyNjQ5NjAwCn0.bWlrZWhlcmVfaXMtbXktc3VwZXJzZWNyZXQtbGlrZQ",
"token_type": "bearer",
"refresh_token": "qwer"
}Returns the public encryption key to be used for encrypting card data for the Create card token endpoint.
It is structured as a JWK described by RFC 7517
Request headers
Responses
Headers
Body
GET /encryption/public-key HTTP/1.1
Accept: application/json
Authorization: Bearer {access_token}
HTTP/1.1 200 OK
Content-Type: application/json
{
"kty": "RSA",
"kid": "key_20250406",
"use": "enc",
"alg": "RSA-OAEP-256",
"n": "y7WkT3qvY...",
"e": "AQAB"
}Request headers
Request body
The JWE string containing the encrypted card data. See JWE and Encrypted card for details
Whether to save the card for permanent usage
Responses
Headers
application/json
Body
POST /cards/tokens HTTP/1.1
Content-Type: application/json
Accept: application/json
Authorization: Bearer {access_token}
{
"payload": "eyJalgIjoiUlNBLU9BRVAtMjU2IiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6ImtleV8yMDI1MDQwNl8wMDEifQ.aG93ZGlkYmFzZTY0.dGhpc2lzdGhlaXY.ZW5jcnlwdGVkY2FyZGhvbGRlcmRhdGE.YXV0aHRhZw",
"permanent": false
}
HTTP/1.1 201 Created
Content-Type: application/json
{
"masked_pan": "506821******1234",
"expiration_month": "01",
"expiration_year": "31",
"brand": "MASTERCARD",
"fingerprint": "klj54njk4njk54bn5jk4n",
"token": "card-on3kno3i4ni3jn",
"expires_in": "900"
}POST /cards/tokens HTTP/1.1
Content-Type: application/json
Accept: application/json
Authorization: Bearer {access_token}
{
"payload": "eyJalgIjoiUlNBLU9BRVAtMjU2IiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6ImtleV8yMDI1MDQwNl8wMDEifQ.aG93ZGlkYmFzZTY0.dGhpc2lzdGhlaXY.ZW5jcnlwdGVkY2FyZGhvbGRlcmRhdGE.YXV0aHRhZw",
"permanent": true
}
HTTP/1.1 201 Created
Content-Type: application/json
{
"masked_pan": "506821******1234",
"expiration_month": "01",
"expiration_year": "31",
"brand": "MASTERCARD",
"fingerprint": "klj54njk4njk54bn5jk4n",
"token": "card-on3kno3i4ni3jn",
"card_art_url": "https://card.art/pic.png",
"masked_virtual_pan": "502168******9876"
}Will always be HS256
Will always be JWT
Key ID that was used to sign the token
{
"alg": "HS256",
"typ": "JWT",
"kid": "key-2025-04"
}The client ID for which the token has been issued
Space-separated list of scopes
Timestamp of when the token was issued
Timestamp of the token expiration
{
"sub": "client_id_123",
"scope": "payments:read payments:write",
"iat": 1712640000,
"exp": 1712643600
}The JWT string as described by RFC 7519: JSON Web Token (JWT)
The JWT has 3 parts:
header-> JSON serialized JWT headerclaims-> Contains the main part of the token - see JWT Claims for detailssignature-> Contains the cryptographic signature of the token
Each of these parts is Base64URL-encoded and concatenated using dots so the overall structure is:
BASE64URL(header).BASE64URL(claims).BASE64URL(signature)
ewogICJhbGciOiAiSFMyNTYiLAogICJ0eXAiOiAiSldUIiwKICAia2lkIjogImtleS0yMDI1LTA0Igp9.ewogICJzdWIiOiAiY2xpZW50X2lkXzEyMyIsCiAgInNjb3BlIjogInBheW1lbnRzOnJlYWQgcGF5bWVudHM6d3JpdGUiLAogICJpYXQiOiAxNzEyNjQwMDAwLAogICJleHAiOiAxNzEyNjQzNjAwCn0.bWlrZWhlcmVfaXMtbXktc3VwZXJzZWNyZXQtbGlrZQThe structure of the public encryption key. It is formatted according to RFC 7515: JSON Web Key (JWK)
Key type. Will be always RSA.
Key ID containing the information about the key age.
Key usage. Will be always enc.
Algorithm to be used for encryption with the key.
The RSA public key modulus part.
The RSA public key exponent part.
{
"kty": "RSA",
"kid": "key_20250406",
"use": "enc",
"alg": "RSA-OAEP-256",
"n": "y7WkT3qvY...",
"e": "AQAB"
}The header for the JWE payload described by RFC 7516 Section 4
{
"alg": "RSA-OAEP-256",
"enc": "A256GCM",
"kid": "key_20250406",
"typ": "JWE"
}The structure containing the encrypted payload. It is described by RFC 7516: JSON Web Encryption (JWE)
The JWE has 5 parts:
header-> contains JSON serialized JWE headerencrypted_key-> contains the CEK (Content Encryption Key) encrypted by the public JWKiv-> initiation vector used for content encryptionciphertext-> contains the Encrypted cardtag-> encryption authentication tag
Each of these parts is Base64URL-encoded and concatenated using dots so the overall structure is:
BASE64URL(header).BASE64URL(encrypted_key).BASE64URL(iv).BASE64URL(ciphertext).BASE64URL(tag)
eyJalgIjoiUlNBLU9BRVAtMjU2IiwiZW5jIjoiQTI1NkdDTSIsImtpZCI6ImtleV8yMDI1MDQwNl8wMDEifQ.aG93ZGlkYmFzZTY0.dGhpc2lzdGhlaXY.ZW5jcnlwdGVkY2FyZGhvbGRlcmRhdGE.YXV0aHRhZw{
"card_pan": "4444444444444448",
"exp_month": "01",
"exp_year": "27",
"cvv": "258"
}