AgnicPay
Authentication

OAuth2 Integration

Let users authorize your app to make X402 payments on their behalf

OAuth2 Integration

OAuth2 allows your application to request permission from AgnicPay users to make X402 payments on their behalf. Users set their own spending limits and can revoke access anytime.

Why OAuth2?

  • User-controlled limits - Users set daily/monthly spending caps
  • Revocable access - Users can disconnect your app anytime
  • Network selection - Users choose which networks to allow
  • Long-lived tokens - Access tokens last 30-60 days with refresh

Authorization Flow

Step 1: Redirect to Authorization

Redirect users to our authorization endpoint:

https://api.agnic.ai/oauth/authorize?
  client_id=your-app-name
  &redirect_uri=https://yourapp.com/callback
  &state=random_csrf_token
  &scope=payments:sign+balance:read
  &response_type=code

Step 2: User Grants Permission

The user logs in, sets spending limits (per-transaction, daily, monthly), selects allowed networks, and approves your app.

Step 3: Receive Authorization Code

User is redirected back to your app with an authorization code:

https://yourapp.com/callback?code=abc123&state=random_csrf_token

Step 4: Exchange for Tokens

Exchange the code for access and refresh tokens:

curl -X POST https://api.agnic.ai/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "abc123",
    "redirect_uri": "https://yourapp.com/callback",
    "client_id": "your-app-name"
  }'

Token Response

{
  "access_token": "agnic_at_abc123...",
  "refresh_token": "agnic_rt_xyz789...",
  "token_type": "Bearer",
  "expires_in": 2592000,
  "scope": "payments:sign balance:read"
}

Token Expiration:

  • Access tokens: 30-60 days (varies by client type)
  • Refresh tokens: 90 days
  • N8N tokens: 1 year (for automation workflows)

Using the Access Token

# Check user's balance
curl https://api.agnic.ai/api/balance \
  -H "Authorization: Bearer agnic_at_abc123..."
 
# Make X402 payment (AI Gateway)
curl https://api.agnic.ai/v1/chat/completions \
  -H "Authorization: Bearer agnic_at_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'
 
# Get transaction history
curl https://api.agnic.ai/api/transactions \
  -H "Authorization: Bearer agnic_at_abc123..."

Refreshing Tokens

When the access token expires, use the refresh token to get a new one:

curl -X POST https://api.agnic.ai/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "agnic_rt_xyz789..."
  }'

Authorization Parameters

ParameterRequiredDescription
client_idYesYour application identifier
redirect_uriYesWhere to send user after authorization
stateYesCSRF protection token (returned unchanged)
scopeNoSpace-separated scopes (default: payments:sign balance:read)
response_typeYesMust be code
code_challengeNoPKCE code challenge (recommended)
code_challenge_methodNoPKCE method (default: S256)
promptNoControls consent behavior

Prompt Parameter

The prompt parameter follows the OpenID Connect standard:

ValueBehavior
(omitted)Auto-approve if user previously consented
noneSilent auth only - error if consent needed
consentForce consent screen even if previously consented
loginForce re-authentication before authorization

Returning users are auto-approved by default (like Google/GitHub). Use prompt=consent to force users to review permissions again.

Register Your Application

To use OAuth2, contact us to register your application and get your redirect URIs whitelisted.

Register Your App →

For public clients (mobile apps, SPAs), we recommend using PKCE:

// Generate code verifier
const codeVerifier = generateRandomString(64);
 
// Create code challenge
const codeChallenge = base64UrlEncode(sha256(codeVerifier));
 
// Include in authorization URL
const authUrl = `https://api.agnic.ai/oauth/authorize?
  client_id=your-app
  &redirect_uri=https://yourapp.com/callback
  &state=random_state
  &response_type=code
  &code_challenge=${codeChallenge}
  &code_challenge_method=S256`;
 
// Include verifier in token exchange
const tokenResponse = await fetch('https://api.agnic.ai/oauth/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: authCode,
    redirect_uri: 'https://yourapp.com/callback',
    client_id: 'your-app',
    code_verifier: codeVerifier
  })
});

Next Steps

Available Scopes

API Reference

Previous

Authentication

Next

API Tokens

On this page

OAuth2 IntegrationWhy OAuth2?Authorization FlowStep 1: Redirect to AuthorizationStep 2: User Grants PermissionStep 3: Receive Authorization CodeStep 4: Exchange for TokensToken ResponseUsing the Access TokenRefreshing TokensAuthorization ParametersPrompt ParameterRegister Your ApplicationPKCE (Recommended)Next Steps