m2pfintech
Integration Guide

Authentication

Obtain JWT tokens and authenticate API requests to the M2P Prepaid Platform.

The M2P Prepaid Platform uses JWT (JSON Web Token) authentication. You obtain a token by calling the login endpoint, then include it in all subsequent API requests.

Authentication Flow

Step-by-Step

Obtain a JWT Token

Call the login endpoint with your API credentials:

curl -X POST https://uat-api.m2p.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "your_api_username",
    "password": "your_api_password"
  }'
const response = await fetch('https://uat-api.m2p.com/auth/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    username: 'your_api_username',
    password: 'your_api_password'
  })
});

const { token } = await response.json();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create("https://uat-api.m2p.com/auth/login"))
    .header("Content-Type", "application/json")
    .POST(HttpRequest.BodyPublishers.ofString(
        "{\"username\":\"your_api_username\",\"password\":\"your_api_password\"}"
    ))
    .build();

HttpResponse<String> response = client.send(request,
    HttpResponse.BodyHandlers.ofString());

Response:

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": "604d5f1e8a2b3c001f8e4567",
    "username": "your_api_username",
    "entityId": "YOUR_TENANT",
    "role": "ISSUER_API"
  }
}

Make an Authenticated API Call

Include the JWT token in the Authorization header and your tenant ID in the TENANT header:

curl -X GET https://uat-api.m2p.com/Yappay/balance-manager/fetchBalance/KIT001 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -H "TENANT: YOUR_TENANT"

Handle Token Expiry

JWT tokens are valid for 24 hours. Implement token caching with proactive refresh:

// Recommended: Refresh token 1 hour before expiry
const TOKEN_REFRESH_BUFFER = 60 * 60 * 1000; // 1 hour in ms

function isTokenExpiringSoon(token) {
  const payload = JSON.parse(atob(token.split('.')[1]));
  const expiryTime = payload.exp * 1000;
  return Date.now() > (expiryTime - TOKEN_REFRESH_BUFFER);
}

Token Details

PropertyValue
AlgorithmHS256
TTL24 hours
RefreshCall /auth/login again before expiry
FormatStandard JWT (Header.Payload.Signature)

JWT Payload Structure

FieldTypeDescription
idStringUnique user ID
usernameStringYour API username
entityIdStringYour tenant identifier
iatNumberToken issued-at timestamp (Unix epoch)
expNumberToken expiry timestamp (Unix epoch)

Never expose JWT credentials in client-side code, mobile apps, or public repositories. All API calls should be made from your server backend.

Integration Guide

Authenticate, encrypt, and integrate with the M2P Prepaid Platform — step by step.

Gateway Encryption

RSA + AES envelope encryption for sensitive operations like PIN management and card data retrieval.

On this page

Authentication Flow
Step-by-Step
Obtain a JWT Token
Make an Authenticated API Call
Handle Token Expiry
Token Details
JWT Payload Structure