Developers
V1
V2

REST API Access Token

Learn how to get an access token.

Access token is required to make an iโ€™mport REST API request.

To get access to private resources, such as payment information, you must obtain an access token and include it in the iโ€™mport REST API request.

Get an access token

Request access token from server-side

If you request for access token from the client-side, the REST API Key and REST API Secret are exposed to public creating a potential security vulnerability. Therefore, you must request for access token from the server-side.

STEP 01. Request access code

Use the**REST API Key** and REST API Secret obtained from the Admin console and call the REST API (POST https://api.iamport.kr/users/getToken) to get an access token as follows:

Admin Console > REST API Key & REST API Secret
Admin Console > REST API Key & REST API Secret
server-side
curl -H "Content-Type: application/json" POST -d '{"imp_key": "REST API key", "imp_secret":"REST API Secret"}' https://api.iamport.kr/users/getToken

STEP 02. Get access token

Get the access token from the response as follows:

Response
{ "code": 0, "message": null, "response": { "access_token": "a9ace025c90c0da2161075da6ddd3492a2fca776", // access token "now": 1512446940, // i'mport REST API server's timestamp "expired_at": 1512448740 // token's expiration (UNIX timestamp, KST) } }

Standard NTP Server

The iโ€™mport REST API server synchronizes with the standard time using Google Public NTP.

STEP 03. Using access token

You can use the access token to make an iโ€™mport REST API call. Since iโ€™mport REST APIs use the Bearer authentication method, the HTTP request header includes the access token in the following format:

Authorization: Bearer a9ace025c90c0da2161075da6ddd3492a2fca776

Call the REST API to get the payment details by including the access token in the request header as follows:

server-side
curl -H "Content-Type: application/json" -H "Authorization: Bearer a9ace025c90c0da2161075da6ddd3492a2fca776" https://api.iamport.kr/payments/imp_448280090638

Reissuing and Reusing Access Token

The expiration of the access token is 30 minutes from the time of issuance. A token cannot be used after its expiration. An API call request with an expired token returns a 401 Unauthorized response.

  • Reissuance (after expiration): A new access token is issued. (Expiration: 30 minutes after issuance)

  • Reuse (before expiration): Existing access token is reused. (Expiration: same as before, but extended by 5 minutes if requested within 1 minute from the original expiration)

5 minute extension of expiration

The reuse and 5 minute lifetime extension of access token are provided for the following situations:

  • Multiple web servers of a single merchant are competing to call the REST API (/users/getToken) at the same time.
  • Multiple web servers of a single merchant are not synchronized in time.