> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dlocal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

How to securely authenticate and make payment requests.

# Authentication: OAuth2 Bearer Token

To securely access dLocal's Payouts API, you must first obtain an access token using the OAuth2 Client Credentials flow. This token should then be included in the Authorization header of all subsequent API requests as a Bearer token.

## Step 1: Get a Bearer Token

Merchants must request an access token using the client credentials flow.

### Endpoint

[block:html]
{
  "html": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"UTF-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n  <title>URL Selector with Opacity</title>\n  <style>\n    .url-container {\n      display: flex;\n      align-items: center;\n      border-radius: 16px;\n      background-color: #fff;\n      padding: 10px;\n      box-shadow: 0 0 0px 1px #F5F5F5;\n      box-sizing: border-box;\n      border-color: transparent;\n      margin-top: 20px;\n      margin-bottom: 20px;\n      gap: 10px;\n      width: 100%;\n    }\n    \n    \n     [data-color-mode=\"dark\"] .url-container {\n      background-color: #F7F7F7;\n    }\n\n    .url-container .url-selector {\n      display: none;\n    }\n\n    .url-container label {\n      padding: 5px 5px;\n      border: 1px solid #ccc;\n      border-radius: 8px;\n      font-size: 11px;\n      color: #333;\n      background-color: #f9f9f9;\n      cursor: pointer;\n      transition: opacity 0.3s ease;\n    }\n\n    /* Reduce opacity for unselected labels */\n    #base-a:not(:checked) ~ label[for=\"base-a\"],\n    #sandbox-a:not(:checked) ~ label[for=\"sandbox-a\"] {\n      opacity: 0.5;\n    }\n\n    .url-container .pill-button {\n      border: none;\n      box-shadow: var(--box-shadow-pill);\n      background-color: #0171c2;\n      color: white;\n      padding: 5px 15px;\n      font-size: 14px;\n      border-radius: 25px;\n      text-transform: uppercase;\n      cursor: default; /* Cambia el cursor para indicar que no es clickeable */\n      text-shadow: 1px 1px 0 #0168b3, 0 1px 0 #0168b3, 1px 0 0 #0168b3;\n      margin-left: 5px;\n      white-space: nowrap !important;\n    }\n\n\n    .url-input {\n      display: none;\n      flex-grow: 1; /* Permitir que el input ocupe todo el espacio disponible */\n    }\n\n    #base-a:checked ~ .url-input[data-url=\"base-a\"],\n    #sandbox-a:checked ~ .url-input[data-url=\"sandbox-a\"] {\n     display: block;\n    }\n\n    .url-input input {\n      width: 100%;\n      border: none;\n      outline: none;\n      flex-grow: 1;\n      border-radius: 8px;\n      padding: 5px;\n      font-size: 12px;\n      color: #333;\n      user-select: all;\n    }\n\n    .url-input input:focus {\n      outline: 1px solid #F5F5F5;\n      border-radius: 16px;\n    }\n    \n\n/* Mobile-specific styles */\n@media screen and (max-width: 768px) {\n.url-container {\n    display: flex;\n    align-items: center;\n    flex-wrap: wrap; \n    width: 100%; \n    max-width: 100%; \n    box-sizing: border-box; \n}\n  \n.url-input input {\n    border: none;\n    outline: none;\n    border-radius: 8px;\n    padding: 5px;\n    font-size: 12px;\n    color: #333;\n    user-select: all;\n    width: 100%; /* Ocupa todo el ancho disponible */\n    max-width: 100%; /* No permite desbordarse */\n}\n}\n  </style>\n</head>\n<body>\n  <div class=\"url-container\">\n    <!-- Botón visual -->\n    <div class=\"pill-button\">Post</div>\n    \n    <!-- Radio inputs for URL options -->\n    <input id=\"base-a\" type=\"radio\" name=\"url\" class=\"url-selector\" checked>\n    <label for=\"base-a\">Production URL</label>\n\n    <!-- URL Display (readonly inputs) -->\n    <div class=\"url-input\" data-url=\"base-a\">\n      <input type=\"text\" readonly value=\"https://api.dlocal.com/oauth/token\">\n     </div>\n</body>\n</html>\n"
}
[/block]

### Example request

```json Example request
curl --location 'https://api.dlocal.com/oauth/token' \
--header 'Content-Type: application/json' \
--data-raw '{
  "grant_type": "client_credentials",
  "client_id": "{CLIENT_ID}",
  "client_secret": "{CLIENT_SECRET}"
}'
```
```json Successful response example
{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjBlNGY1NTUxLWRlNDYt...",
  "scope": "payouts",
  "expires_in": 180,
  "token_type": "Bearer"
}
```

> 🚧
>
> Please note that the authorization token expires automatically after 180 seconds, so requests made after that window will require a new token.

### Request params

| Name            | Description                                                                                     |
| --------------- | ----------------------------------------------------------------------------------------------- |
| `grant_type`    | The `grant_type` parameter must be set to `client_credentials`.                                 |
| `client_id`     | Your merchant's Client ID. Your assigned Technical Account Manager will provide this value.     |
| `client_secret` | Your merchant's Client Secret. Your assigned Technical Account Manager will provide this value. |

> To get your credentials, please contact your designated Technical Account Manager or email us at <integrations@dlocal.com> to request setup.

### Response params

| Name           | Description                                                    |
| -------------- | -------------------------------------------------------------- |
| `access_token` | The access token string issued by dLocal.                      |
| `scope`        | A list with the permissions that the merchant can access.      |
| `expires_in`   | The duration (in seconds) for which the access token is valid. |
| `token_type`   | The type of token, which will always be `"Bearer"`.            |

## Step 2: Authenticate subsequent API requests

After successfully obtaining your `access_token` through the `/oauth/token` endpoint, you must include it in the Authorization header of all your subsequent API requests to dLocal's Payouts API v3. This ensures that your requests are authenticated and authorized.

### Authorization header

```json Authorization example
curl -X POST \
-H 'X-Date: {X-Date}' \
-H 'X-Version: 3.0' \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjBlNGY1NTUxLWRlNDYt..." \
-d '{body}'
 https://api.dlocal.com/payouts/v3
```
```json Authorization format
Authorization: Bearer <YOUR_ACCESS_TOKEN>
```

# Important considerations

* **Expiration**. Access tokens have a limited lifespan, indicated by the `expires_in` attribute in the token response. You must implement a mechanism to refresh your token before it expires to avoid authentication errors.
* **Security**. Always keep your `client_id` and `client_secret` confidential. Do not expose them in client-side code or public repositories.
* **Error handling**. If your access token is invalid or expired, the API will return an HTTP 403 Forbidden error with an appropriate error code. Ensure your application handles these errors by requesting a new token.