The Dollr API uses OAuth 2.0 Client Credentials. Exchange your Client ID and Client Secret for a short-lived JWT, then send Authorization: Bearer <token> on every protected request.
Prerequisites
You need a verified merchant account and API credentials from merchant.heydollr.app → API Keys. See Environments for production URL, testing approach, and Realtime/Stripe credentials.
Until verification completes, some features (payouts, payment links, API keys, refunds) may be restricted. See the merchant portal for your account status.
Obtain an access token
POST /v1/jwt/client/obtain/token
| Field | Type | Required | Description |
|---|
client_id | string | Yes | Client ID from the merchant portal |
client_secret | string | Yes | Client secret (shown once at creation) |
| Field | Type | Description |
|---|
access_token | string | JWT for subsequent requests |
expires_in | integer | Validity in minutes |
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_in": 60
}
curl -X POST "https://api.heydollr.app/v1/jwt/client/obtain/token" \
-H "Content-Type: application/json" \
-d '{
"client_id": "your-client-id",
"client_secret": "your-client-secret"
}'
Use the Bearer token
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Refresh proactively — request a new token when fewer than 5 minutes remain (expires_in is in minutes). Expired tokens return 401.
Security
- Store secrets in a vault or environment variables on your server.
- Rotate credentials from the merchant portal if a secret is exposed.
- Do not log full tokens in production logs.
