- A bearer access token in the
Authorizationheader. - The mandatory
X-Api-Versionheader (see Versioning).
How authentication works
Authentication is a two-step model. You hold long-lived client credentials and exchange them for short-lived access tokens.Create an API client in Shift
In Shift, create an API client for your service. Shift returns a
client_id and a client_secret (prefixed sk_…). The secret is shown once; copy it into your secret manager immediately.Exchange the credentials for an access token
Call the token endpoint (
POST /tokens) with your client_id and client_secret. Paylead returns a short-lived access token plus an expires_in (about an hour).Credentials vs. tokens
These are two different things; keep them straight:| Client secret | Access token | |
|---|---|---|
| Looks like | sk_<env>_… (prefixed) | An ES256 JWT (header.payload.signature, no prefix) |
| Lifetime | Long-lived; rotate on leak | Short-lived (~1 hour, see expires_in) |
| Where it lives | Your secret manager, never in code | In memory; fetch on demand and cache until expiry |
| Used to | Obtain access tokens at POST /tokens | Authenticate each API call |
Never send your
client_secret on a regular API call. It is only ever used against the token endpoint to mint an access token.Get your API client credentials
Create an API client in Shift (one per environment) under Settings > API Keys. Shift returns aclient_id and a client_secret. For the full walkthrough (signing in, creating, viewing, and revoking clients) see API keys and Sign in to Shift.
Exchange credentials for an access token
Call the token endpoint with yourclient_id and client_secret. The response carries the access token and its lifetime (expires_in, in seconds).
Code examples coming soon. The Paylead API (v2) is still under construction. Request and response examples for this section will be published once the contract is finalized. In the meantime, contact your Paylead account manager for early-access details.
Call the API
Pass the access token as a bearer credential and set the mandatoryX-Api-Version header. All calls must use HTTPS.
Code examples coming soon. The Paylead API (v2) is still under construction. Request and response examples for this section will be published once the contract is finalized. In the meantime, contact your Paylead account manager for early-access details.
401 Unauthorized. A call missing the X-Api-Version header is rejected; see Versioning. See Errors for the full list.
Sandbox vs. production credentials
Sandbox and production credentials are separate. A sandbox client cannot mint tokens that work against production, and the reverse.| Property | Sandbox | Production |
|---|---|---|
| Secret prefix | sk_… (sandbox) | sk_… (production) |
| Base URL | ||
| Access | Granted on signup | Granted after sandbox validation |
| Data | Test entities created by the client, no PII | Real Consumers, real transactions |
Use distinct secret-manager entries for each environment. Mixing them risks pointing your staging environment at production data.
Rotate credentials
Access tokens expire on their own (about an hour), so there is nothing to rotate there. What you protect and rotate is the client secret.Create a new client
In Shift, create a new API client for the same environment. It returns a fresh
client_id and client_secret.Roll the new credentials to your service
Update the secret in your secret manager. Redeploy or hot-reload the services that read it, so they exchange the new secret at the token endpoint.
Verify traffic is on the new client
Watch your logs or Shift’s API activity panel. Confirm requests are succeeding with tokens minted from the new secret.
Security checklist
- Store the
client_secretin a secret manager (Vault, AWS Secrets Manager, GCP Secret Manager). Never in code, never in environment files committed to Git. - Restrict who can create API clients in Shift. Audit the Program Manager role.
- Use a separate API client per service. If one service is compromised, you revoke one client, not all.
- Never log the
client_secretor the access token. - Log token usage on your side (request ID, timestamp). Correlate with Shift’s audit log if you suspect misuse.
What’s next
Versioning
The mandatory
X-Api-Version header and the version policy.Rate limits
Per-token request limits and backoff strategy.
Errors
Diagnose
401, 403, and other auth-related failures.Environments
Switch from sandbox to production safely.