Skip to main content


To protect your data and users, Walley uses Microsoft Azure ADB2C as an authentication service provider. To gain access to the API you must identify your application against this service to obtain a token that you use to identify your application against our APIs.

Microsoft Azure ADB2C follows the standard OAuth2 and for integrating with Walley api you use the Client Credentials flow. Read more about it


1. Generate an API secret​

Go to Walley Merchant Hub click on your name in the top right menu, and select "Manage access" in the menu.

  • Click on the "Create +" button and then select "Api key".
  • Fill out the form and click on "Create".
  • Copy the client id and secret and save this to a password manager.

The secret is only visible once and can't be recovered. If lost a new secret must be created instead.

2. Request an access token​

In order to communicate with our APIs, you will need to request an access token that you will use in all subsequent requests to our API.

To get the access token your application needs to perform a request against our authentication endpoint:

See endpoints for testing and production.
Read more about access tokens

Please Note

The token provided in this response will expire and to get a new token you can simply execute the same request again.

POST /oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded


Request Properties​

client_idThe client identifier of your application
client_secretThe secret key you acquired that is connected to your clientId
grant_typeThe grant_type should be set to client_credentials
scopeThis is a constant value that is unique for every environment: UAT (testing) and PROD.
UAT = 705798e0-8cef-427c-ae00-6023deba29af/.default
PROD = a3f3019f-2be9-41cc-a254-7bb347238e89/.default

3. Provide the access token with all requests​

In all following calls, provide the request with an Authorization header with the value Bearer {{access_token}}.

// Example request with an Authorization header set

GET /manage/orders/0f05ebc2-89ec-4l13-830a-ac4e0141f652 HTTP/1.1
Host: // (Please note! Different hostname in production)
Content-Type: application/json
Authorization: Bearer bXlVc2VybmFtZTpmN2E1ODA4MGQzZTk0M2VmNWYyMTZlMDE...