Skip to main content
Safefy uses OAuth2 Client Credentials for authentication. You must obtain a JWT token before making any other request.

How it works

Getting the token

curl -X POST https://api-payment.safefypay.com.br/v1/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grantType": "client_credentials",
    "publicKey": "pk_sandbox_abc123...",
    "secretKey": "sk_sandbox_xyz789..."
  }'
Response: 
{
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "tokenType": "Bearer",
    "expiresIn": 3600,
    "environment": "Sandbox"
  }
}

Using the token

Include the token in the Authorization header for all requests: 
curl https://api-payment.safefypay.com.br/v1/transactions \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
The token expires in 1 hour (3600 seconds). Refresh it before expiration to avoid interruptions.

Security best practices

Never expose the secretKey

Keep the secretKey only on the backend. Never include it in frontend code or public repositories.

Use environment variables

Store credentials in environment variables or secret managers (AWS Secrets Manager, Vault, etc).

Refresh before expiration

Implement logic to refresh the token before the 3600 seconds expire.

Restrict allowed IPs

In the Safefy dashboard, restrict credential usage to your server IPs.

Common errors

CodeErrorSolution
401Invalid credentialsCheck publicKey and secretKey
403Unauthorized IPAdd the IP in the credential settings
429Rate limit exceededWait for the time indicated in Retry-After

Test authentication

Try the authentication endpoint in the playground.