Getting started
The Mollie API offers four authentication methods:
- API keys: default API access for a specific payment profile.
- Organization access tokens: advanced API access for organization-level data. (API v2 and later)
- App access tokens (OAuth): access that allows you to make API requests on behalf of your connected customers.
- Basic Auth: Base64-encoded string using the OAuth client ID and client secret as basic access credentials. It is used to generate and revoke tokens.
We recommend using API keys to get started.
API keys
API keys are used to authenticate and authorize API requests made by your application or backend systems. They're like secure passwords that identify your application to different systems.
The first thing you need is a website profile as each website profile has a Live API key and a Test API key.
While building and testing your integration, use the Test API key (read more about the test mode in our guide Testing the Mollie API) and once you are ready to start processing real payments, switch out your test key to the Live API key.
It’s very important to keep your API keys secure, so do not share them and regularly rotate them.
However, if one or both of your keys accidentally leak, you can always regenerate them.
Organization access tokens
Organization access tokens are special types of credentials used to grant access to organization-level resources. These are typically used for for organization-level actions: managing multiple connected accounts or users, automating administrative tasks, or integrating enterprise-level systems.
App access tokens (OAuth)
With app access tokens, you can talk to the Mollie API on behalf of your users or proactively revoke authorizations. These are the tokens used to authenticate API requests on behalf of your users or connected businesses, communicate with the Mollie API on behalf of the user (with their consent), access the merchant’s account data, retrieve information, do things on behalf of your customers etc.
See the full example flow in our Implementing OAuth guide.
Basic Auth
Basic Authentication is an HTTP authentication scheme that sends credentials as a Base64-encoded string: Authorization: Basic <base64-encoded-username:password>.
In Mollie we use the client ID and client secret as basic access credentials:
"Basic " + toBase64(client_id + ":" + client_secret)
Basic Auth is used to generate and revoke tokens.
Comparison of authentication methods
For completeness’ sake, the following table compares the available authentication methods.
| API key | Organization access token | App access tokens (OAuth) | |
|---|---|---|---|
| Access level | Access to all actions on the payment processing APIs for a specific payment profile. | Access to the API actions you selected when creating the token. | Access to the API actions the app user gave your app explicit permission to. |
| Requirements | Create a payment profile first via the Web app: Profiles overview, or using the Profiles API. | None. | Create an application, then have a user authorize your app to access their account data. See Mollie Connect for more information. |
| Test mode | API keys come in pairs. Use the Test API key for test mode. | Use the testmode parameter in your request. | Use the testmode parameter in your request. |
| Create via | Web app: API keys | Web app: Organization access tokens | OAuth authorization flow |
