# Access Token All request must have an **Access token**. Access tokens are used to make API requests on behalf of your merchant account. It is used for **Authorization**. Access tokens must be kept confidential in transit and in storage. The only parties that should ever see the access token are Kitegateway APIs and your servers. Your application should ensure the storage of the access token is not accessible to other applications ## How to get an access token You have to use your merchant [**api\_key**](/dashboard/api-credentials.md#api_key) and [**api\_secret**](/dashboard/api-credentials.md#api_secret) in order to get an access token by making a request as below #### Live ```typescript POST https://kitegateway.com/v1/auth/token ``` **Sandbox** ``` POST https://sandbox.kitegateway.com/v1/auth/token ``` {% tabs %} {% tab title="Headers" %} #### Request Headers | Header | Value | Required | | ---------------- | ---------------------- | -------- | | **Content-Type** | **`application/json`** | YES | | **Accept** | **`application/json`** | YES | | **Secret-Key** | **`YOUR_SECRET`** | YES | | {% endtab %} | | | {% tab title="Request" %} #### Request Body | Parameter | Type | Description | Required | | --------------- | ------- | ------------------------------------------------- | ----------------------------- | | **api\_key** | string | Obtained from merchant profile account | YES | | **expires\_in** | integer | The time taken for the token to expire in seconds | Optional. Default 900 seconds | | {% endtab %} | | | | {% tab title="Response" %} #### Response body | Parameters | Type | Description | | ------------ | ------- | ---------------------------------------------------------------------------- | | token | string | The access token that can be used to make a request on any of the end points | | expires | integer | The timestamp of when the token will expire | | {% endtab %} | | | {% tab title="Sample Request" %} ```typescript { "api_key": "2882jj2hh288282jj2", // Obtain from your merchant profile" "expires_in": 300 } ``` {% endtab %} {% tab title="Sample Response" %} ```typescript { "code": 200, "status": "success", "message": "Token generated", "data": { "token": "JWT eyJ0eXAiOiBBV1QzI1NiJ9.eTAW0InJvbGUi2YifQ.f6FPyTxzchGD7ed55Rw7ruqe6P_Go", "expires": 1622197906 } } ``` {% endtab %} {% endtabs %} {% hint style="danger" %} #### Header: Authorization All Requests to whatever Kitegateway end point must contain an authorization header that contains the token generated. This provides another layer of security. To even strengthen the security further, this token should be as short lived as much as possible based on the specified scenario. **`e.g`"Authorization: JWT eyJ0ejjsjjdjjjjsjjs.eTThhhshhshhhs.88asd998sads..."** {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kitegateway.com/authorization/access-token.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.