miaPOS.eu
Contact sales
Docs · Get started

Authentication

OAuth2-style access tokens with refresh. Long-lived secret key never crosses the wire after the first issuance.

AudienceDeveloper
DifficultyBasic
Updated2026-05-30

Auth model

miaPOS uses a token-pair model. Long-lived secretKey issues a short-lived accessToken + a longer-lived refreshToken. The accessToken goes on every subsequent request as Authorization: Bearer .... The secretKey never crosses the wire again after the first POST /token.

Issuing tokens

POST/ecomm/api/v1/token
{
  "merchantId": "M12345",
  "secretKey":  "your-secret-key",
  "terminalId": "T0001"
}

Response:

{
  "accessToken":  "eyJhbGc...",
  "refreshToken": "eyJhbGc...",
  "expiresIn":    900
}

Refreshing tokens

POST/ecomm/api/v1/token/refresh
{"refreshToken": "eyJhbGc..."}

Returns a new pair. Issue a refresh when the existing accessToken is within ~60 s of expiry.

Where to store credentials

  • secretKey — server-side secret store (env var, KMS, vault). Never in browser or client code.
  • refreshToken — same protection as secretKey.
  • accessToken — in-memory only. Don't persist.
If a secret leaks
Rotate immediately via the merchant portal (Settings → API credentials → Rotate). Both old tokens revoke instantly; pending payments unaffected.