Set up authorisation assertion grant

To build a self-hosted app and integrate with Zettle APIs, the merchant must provide you with access to merchant data in Zettle. For a self-hosted app, this is done using an API key in the form of a JSON web token (JWT) assertion. The following describes how to set up this authorisation flow.

• A developer account on the Developer Portal. If you don't have this, see sign up for a developer account.
• An API key and a client ID for the app. If you don't have these, see create credentials for a self-hosted app.

Include the API key and the client ID in the following request to retrieve an access token.

Copy
1
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id={client_ID}&assertion={API_key}" https://oauth.zettle.com/token

Note: If you plan to track the app later on, use the client ID of a partner-hosted app.

Example: The following example retrieves an access token using the assertion grant flow. The access token is valid for 7200 seconds. The response value expires_in is the remaining lifetime of the access token in seconds.

Request

Copy
1
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=6adde977-c34d-4de1-99b2-f6ed3e65431a&assertion=eyJraWQiOiIwIiwidHlwIjoiSl...y9V15QKjn4ZgKRumYb_ikw" https://oauth.zettle.com/token

Response

Copy
1
{
2
    "access_token": "eyJraWQiOiIxNDQ0NzI3MTY0Njk4Iiwi...yZA",
3
    "expires_in": 7200
4
}

Note: If the API key is invalid or revoked by the merchant (Zettle account owner), the response returns error invalid_grant. You need to get a new API key from the merchant.

The access token expires after 7200 seconds. Use the same API key to generate a new one, as described in Step 1: Retrieve an access token.

• Create credentials for a self-hosted app

• OAuth API Reference