Introduction to OAuth 2.0 Integration

OAuth 2.0 enables your
Barclays
 merchants to securely grant your web-application permission to perform actions on their behalf, such as accessing their customer data and processing transactions. As a technology partner, you can integrate OAuth 2.0 into your web-application through
Barclays
. When your integration is complete,
Barclays
 authenticates merchants for you, ensuring that your web-application only performs actions authorized by the merchants. This authentication method securely connects your web-application to the merchant account without the need to receive or store sensitive merchant credentials in your system.
This guide explains how to set up and enable OAuth 2.0 for your web-application.
IMPORTANT
OAuth integration through
Barclays
 is in the pilot phase. To join the pilot program, and to know which API requests are OAuth-enabled, contact
Barclays
 support:

How to Implement OAuth 2.0

This overview describes the steps that you and the merchant must complete to implement OAuth.
  1. You enable mutual authentication by obtaining a Certificate Signing Request (CSR) from a supported certificate authority (CA). After obtaining a CSR, you provide your common name details to
    Barclays
    . For more information, see Enable Mutual Authentication.
  2. You register your web-application in the
    Smartpay Fuse Portal
    . You set a scope of permissions and a redirect URL to your web-application. For more information, see Register Your Application.
  3. The merchant visits your web-application, provides their credentials, and clicks a button or link to complete the permission process.
  4. Your application redirects the merchant to a
    Barclays
    -hosted webpage. For more information, see Register Your Application.
  5. The merchant logs in to the
    Smartpay Fuse Portal
     and grants your web-application permission to access their merchant account based on the scope you set previously. Notify the merchant that their account must have access to grant OAuth permissions to complete this requirement.
  6. Barclays
     redirects the merchant to your application using the redirect URL you registered. An authentication code is appended to the redirect URL. For more information, see Interpreting the Redirect Response.
  7. Your application exchanges the authorization code with
    Barclays
     for these two tokens:
    • Access token:
       A token to authenticate transactions using
      Barclays
      . For more information about how to authenticate
      Barclays
       transactions using this token, see Submit API Requests Using OAuth.
    • Refresh token:
       A token that you can use to request additional access tokens.
    For more information about requesting tokens, see Request the Access and Refresh Tokens.
    For more information about refreshing your existing tokens, see Refresh the Access Token and Refresh the Refresh Token.
To change the permissions the merchant grants you, you must repeat steps 2–7.
You must obtain test merchant credentials to emulate the access delegation. Your test account must contain at least one card-based transaction from within the past 7 days.