🔍 Search documentation...⌘K

Create Partner Access Token

Generate access tokens for API authentication

Partner Access Tokens are used for authenticating server-to-server API calls to the OZZOBiT Whitelabel API. Unlike public API keys (used in widget URLs), access tokens provide secure authentication for backend operations.

Token Types

  • Public API Key: Used in widget URLs and client-side SDK initialization. Safe to expose publicly.
  • Secret API Key: Used with access token generation for server-to-server calls. Never expose in client code.
  • Access Token: Short-lived JWT token generated using your secret key. Used as Bearer token in API requests.

Generating an Access Token

Get Your Credentials

From your Partner Dashboard (Settings → API Keys), note your:

  • API Key (public identifier)
  • API Secret (keep this secure!)

Generate Token via API

get-access-token.jsjavascript
// Generate access token
async function getAccessToken(): Promise<string> {
  const response = await fetch('https://OZZOBiT.com/api/api/v2/auth/token', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      apiKey: 'YOUR_PUBLIC_API_KEY',
      apiSecret: 'YOUR_SECRET_API_KEY',
    }),
  })
  
  const data = await response.json()
  
  if (!data.accessToken) {
    throw new Error(`Token generation failed: ${data.message}`)
  }
  
  return data.accessToken
}

// Usage:
const token = await getAccessToken()

// Use in subsequent API calls:
const orders = await fetch('https://OZZOBiT.com/api/api/v2/orders', {
  headers: {
    'Authorization': `Bearer ${token}`,
    'Content-Type': 'application/json',
  }
})

Cache and Refresh Tokens

Access tokens have an expiration time. Cache them and refresh before expiry:

token-manager.tstypescript
// Token caching utility
class TokenManager {
  private token: string | null = null
  private expiresAt: number = 0
  
  async getToken(): Promise<string> {
    // Return cached token if still valid (with 5 min buffer)
    if (this.token && Date.now() < this.expiresAt - 300000) {
      return this.token
    }
    
    // Generate new token
    const response = await fetch('https://OZZOBiT.com/api/api/v2/auth/token', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        apiKey: process.env.OZZOBiT_API_KEY!,
        apiSecret: process.env.OZZOBiT_API_SECRET!,
      }),
    })
    
    const data = await response.json()
    this.token = data.accessToken
    this.expiresAt = Date.now() + (data.expiresIn * 1000)
    
    return this.token!
  }
}

export const tokenManager = new TokenManager()
⚠️
Security Best Practices
  • Never store your API Secret in client-side code or version control
  • Use environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.)
  • Implement token caching to avoid regenerating tokens on every request
  • Rotate your API Secret periodically through the dashboard
  • Monitor token usage for unusual activity patterns