# REST API Access Token ### Access token is required to make an i'mport REST API request. To get access to private resources, such as payment information, you must obtain an access token and include it in the i'mport REST API request. ### Get an access token {% hint style="danger" %} Request access token from server-side If you **request for access token from the client-side**, the **`REST API Key`****` ``and`** **`REST API Secret`** are **exposed to public creating a potential security vulnerability**. Therefore, you **must request for access token from the server-side.** {% endhint %} ### **STEP 01.** Request access code Use the**`REST API Key`** and **`REST API Secret`** obtained from the Admin console and call the REST API ([POST https://api.iamport.kr/users/getToken](https://api.iamport.kr/#!/authenticate/getToken)) to get an access token as follows: ![Admin Console > REST API Key & REST API Secret](https://2814812280-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTv8JEzyM5h4cYcL5StH%2Fuploads%2Fuv3WIhwvd9QiQX4eCm2R%2Fimage.png?alt=media\&token=6071880c-f56d-4321-bd51-3916f4d569c0) {% tabs %} {% tab title="curl" %} {% code title="server-side" %} ```python curl -H "Content-Type: application/json" POST -d '{"imp_key": "REST API key", "imp_secret":"REST API Secret"}' https://api.iamport.kr/users/getToken ``` {% endcode %} {% endtab %} {% tab title="Node.js" %} {% code title="server-side" %} ```javascript // Request access token axios({ url: "https://api.iamport.kr/users/getToken", // POST method method: "post", // "Content-Type": "application/json" headers: { "Content-Type": "application/json" }, data: { // REST API key imp_key: "imp_apikey", // REST API Secret imp_secret: "ekKoeW8RyKuT0zgaZsUtXXTLQ4AhPFW3ZGseDA6bkA5lamv9OqDMnxyeB9wqOsuO9W3Mx9YSJ4dTqJ3f" } }); ``` {% endcode %} {% endtab %} {% tab title="Python" %} ```python import requests import json def getTokenApi(path): API_HOST = "https://api.iamport.kr" url = API_HOST + path headers = {'Content-Type': 'application/json', 'charset': 'UTF-8', 'Accept': '*/*'} body = { "imp_key": "", # REST API Key "imp_secret": "" # REST API Secret } try: response = requests.post(url, headers=headers, data=json.dumps(body, ensure_ascii=False, indent="\t")) return response except Exception as ex: res=getTokenApi("/users/getToken") # API call json_object=json.loads(res.text) # Convert to JSON object TokenVal = json_object['response']['access_token'] # Parse the token print(TokenVal) ``` {% endtab %} {% endtabs %} ### **STEP 02.** Get access token Get the access token from the response as follows: {% code title="Response" %} ```json { "code": 0, "message": null, "response":{ "access_token": "a9ace025c90c0da2161075da6ddd3492a2fca776", // access token "now": 1512446940, // i'mport REST API server's timestamp "expired_at": 1512448740, // token's expiration (UNIX timestamp, KST) }, } ``` {% endcode %} {% hint style="info" %} **Standard NTP Server** The i'mport REST API server synchronizes with the standard time using **Google Public NTP**. {% endhint %} ### **STEP 03.** Using access token You can use the access token to make an i'mport REST API call. Since i'mport REST APIs use the **Bearer** authentication method, the HTTP request header includes the access token in the following format: > Authorization: **Bearer** a9ace025c90c0da2161075da6ddd3492a2fca776 {% tabs %} {% tab title="curl" %} Call the REST API to get the payment details by **including the access token in the request header** as follows: {% code title="server-side" %} ``` curl -H "Content-Type: application/json" -H "Authorization: Bearer a9ace025c90c0da2161075da6ddd3492a2fca776" https://api.iamport.kr/payments/imp_448280090638 ``` {% endcode %} {% endtab %} {% tab title="Node.js" %} {% code title="server-side" %} ```json axios({ url: "https://api.iamport.kr/payments/imp_448280090638", method: "get", // GET method headers: { // "Content-Type": "application/json" "Content-Type": "application/json", // Reissuing and Reusing Access Token ssued access token "Authorization": "Bearer a9ace025c90c0da2161075da6ddd3492a2fca776" } }); ``` {% endcode %} {% endtab %} {% endtabs %} ### Reissuing and Reusing Access Token The expiration of the access token is **30 minutes** from the time of issuance. A token **cannot be used after its expiration**. An API call request with an expired token returns a **`401 Unauthorized`** response. > * Reissuance (after expiration): A new access token is issued. (Expiration: 30 minutes after issuance) > * Reuse (before expiration): Existing access token is reused. (Expiration: same as before, but extended by 5 minutes if requested within 1 minute from the original expiration) ![](https://2814812280-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhTv8JEzyM5h4cYcL5StH%2Fuploads%2FgkrKzTV8LxHFA1chYN7D%2Faccess_token_reuse.png?alt=media\&token=905df75a-155e-4b10-8f96-69d111667453) {% hint style="info" %} **5 minute extension of expiration** The reuse and 5 minute lifetime extension of access token are provided for the following situations: * Multiple web servers of a single merchant are competing to call the REST API (`/users/getToken`) at the same time. * Multiple web servers of a single merchant are not synchronized in time. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://portone.gitbook.io/docs-en/api/rest-api-access-token.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.