Developer Apps
OAuth applications
Create partner apps, request delegated company access, and call MakeCrypto APIs with scoped OAuth tokens.
Developer portal
Create and manage partner applications at https://apps.makecrypto.io.
Applications belong to a MakeCrypto company and define the redirect URIs,
allowed OAuth scopes, webhooks, icon, support contact, privacy policy, and terms
shown during consent.
Each confidential application has a client secret. The secret is shown once when it is created or rotated, then stored only as a hash. Public applications must use PKCE and do not receive a secret.
Authorization Code with PKCE
MakeCrypto supports delegated company OAuth for partner applications. Start the
flow by sending the user to the authorization endpoint with an exact registered
redirect URI and a PKCE S256 challenge.
GET https://makecrypto.io/oauth/authorize
?response_type=code
&client_id=mco_app_...
&redirect_uri=https%3A%2F%2Fpartner.example%2Fcallback
&scope=company%3Aread%20makepay%3Apayment-links%3Aread
&resource=https%3A%2F%2Fmakecrypto.io%2Fapi%2Fpartner%2Fv1
&code_challenge=BASE64URL_SHA256_VERIFIER
&code_challenge_method=S256
The user chooses the company, reviews the requested permissions, and approves or rejects access. If approval succeeds, MakeCrypto redirects back with a short lived authorization code.
Exchange the code at the token endpoint. Confidential clients authenticate with
client_secret_basic or client_secret_post; public clients authenticate with
their client_id and PKCE verifier.
POST https://makecrypto.io/oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
grant_type=authorization_code
&code=mco_code_...
&redirect_uri=https%3A%2F%2Fpartner.example%2Fcallback
&code_verifier=ORIGINAL_PKCE_VERIFIER
Access tokens are short-lived JWT bearer tokens. Refresh tokens rotate on every use, and refresh-token reuse revokes the token family.
Official native integrations, such as the MakePay WordPress plugin, do not
use the developer portal or a shared client secret. They register a per-store
public installation at POST /oauth/native/installations, use exact callback
URI matching, and receive DPoP-bound tokens that must be sent with
Authorization: DPoP and a matching DPoP proof header.
Official SDKs
Use the official SDKs when you want a server-side integration without building the HTTP client, payment-link payloads, and webhook signature verification from scratch.
| SDK | Use it for | Guide |
|---|---|---|
| MakePay PHP SDK | PHP, Laravel, Symfony, custom checkout, and backend payment-link creation. | PHP SDK |
| MakePay NPM SDK | Node.js, Next.js, TypeScript backends, and server-side webhook handlers. | NPM SDK |
Endpoints
| Purpose | Endpoint |
|---|---|
| Authorization | GET /oauth/authorize |
| Token exchange | POST /oauth/token |
| Revocation | POST /oauth/revoke |
| Introspection | POST /oauth/introspect |
| Pushed authorization request | POST /oauth/par |
| Native installation registration | POST /oauth/native/installations |
| JWKS | GET /oauth/jwks.json |
| Authorization server metadata | GET /.well-known/oauth-authorization-server |
| Protected resource metadata | GET /.well-known/oauth-protected-resource |
Scopes
| Scope | Access |
|---|---|
company:read | Read selected company identity and basic settings. |
wallet:balances:read | Read wallet balances for the selected company. |
wallet:activity:read | Read wallet and settlement activity. |
makepay:payment-links:read | Read MakePay payment links and payment status. |
makepay:payment-links:write | Create and update MakePay payment links. |
makepay:customers:read | Read MakePay customer records. |
makepay:customers:write | Create and update MakePay customer records. |
makepay:subscriptions:read | Read MakePay subscription records. |
makepay:subscriptions:write | Create and update MakePay subscriptions. |
makepay:settings:read | Read MakePay merchant settings and enabled assets. |
makepay:settings:write | Update MakePay merchant settings and callback configuration. |
makepay:webhooks:read | Read MakePay webhook endpoints and delivery logs. |
makepay:webhooks:write | Create, update, test, and retry MakePay webhook deliveries. |
API route permissions
| Route | Method | Required scope |
|---|---|---|
/api/partner/v1/makepay/payment-links | GET | makepay:payment-links:read |
/api/partner/v1/makepay/payment-links | POST | makepay:payment-links:write |
/api/partner/v1/makepay/customers | GET | makepay:customers:read |
/api/partner/v1/makepay/customers | POST | makepay:customers:write |
/api/partner/v1/makepay/subscriptions | GET | makepay:subscriptions:read |
/api/partner/v1/makepay/subscriptions | POST | makepay:subscriptions:write |
/api/partner/v1/makepay/settings | GET | makepay:settings:read |
/api/partner/v1/makepay/settings | PUT | makepay:settings:write |
/api/partner/v1/makepay/webhook-requests | GET | makepay:webhooks:read |
/api/partner/v1/companies/{id}/wallet/balances | GET | wallet:balances:read |
/api/partner/v1/companies/{id}/wallet/activity | GET | wallet:activity:read |
Webhook signing
Application webhooks include a makecrypto-signature header with timestamp and
v1 signature values. Verify timestamp freshness, rebuild the signed payload
as timestamp.rawBody, and compare the signature with the webhook secret shown
once when the endpoint is created or rotated.
Connected app management
Approved OAuth grants are visible in the company dashboard under
Integrations -> Connected apps. Company admins can review app status, last
access, and granted scopes, then revoke access when a partner connection should
stop working.