Getting started

The Mollie API offers four authentication methods:

API keys: default API access for a specific payment profile.
Advanced access tokens: advanced API access for organization-level data.
Optional: can be scoped to a specific mode or profile.
App access tokens (OAuth): access that allows you to make API requests on behalf of your connected customers.
Basic Auth: Base64-encoded string using the OAuth client ID and client secret as basic access credentials. It is used to generate and revoke tokens.

We recommend using API keys to get started.

📘
The API keys and Access tokens pages have been merged into a singular API access tokens page that you can find in your Mollie Web App under Developers.

API keys

API keys are used to authenticate and authorize API requests made by your application or backend systems. They're like secure passwords that identify your application to different systems.

The first thing you need is a website profile. Then, once you create one, you can generate API keys for it: Live API key and a Test API key.

Use a Test API key when building and testing your integration. Once you are ready to start processing real payments, you can swap your Test key for a Live API key.

Make sure to save your keys once created, as you cannot copy them after you leave the page. The keys will no longer be visible in the UI.

Rotating API keys

Previously, we only supported a single API key-pair per profile. This limitation has been lifted, which makes proper API key rotation possible. You can now:

Create a second API key for a profile
Start using the second API key in your integration
Only then remove the old API key safely

❗️
It’s very important to keep your API keys secure, so do not share them and regularly rotate them. Do not use API keys for third party integrations, but use OAuth instead.
If one or both of your keys accidentally leak, you can always regenerate them in the Web App.

Advanced access tokens

Advanced access tokens are special types of credentials used to grant access to organization-level resources. These are typically used for for organization-level actions: managing multiple connected accounts or users, automating administrative tasks, or integrating enterprise-level systems, however, they can also be scoped to a specific profile or mode.

Only users with the Admin role can currently create tokens. So if you do not have access to tokens - please ask the Admin of your Organization or have your role updated to Admin.

📘
Access tokens can only be viewed once, during access token creation.

App access tokens (OAuth)

With app access tokens, you can talk to the Mollie API on behalf of your users or proactively revoke authorizations. These are the tokens used to authenticate API requests on behalf of your users or connected businesses, communicate with the Mollie API on behalf of the user (with their consent), access the merchant’s account data, retrieve information, do things on behalf of your customers etc.

See the full example flow in our Implementing OAuth guide.

Basic Auth

Basic Authentication is an HTTP authentication scheme that sends credentials as a Base64-encoded string: Authorization: Basic <base64-encoded-username:password>.

In Mollie we use the client ID and client secret as basic access credentials:

"Basic " + toBase64(client_id + ":" + client_secret)

Basic Auth is used to generate and revoke tokens.

Comparison of authentication methods

For completeness’ sake, the following table compares the available authentication methods.

	API key	Advanced access token	App access tokens (OAuth)
Access level	Access to all actions on the payment processing APIs for a specific payment profile.	Access to the API actions you selected when creating the token. Optionally: can be limited to a specific payment profile	Access to the API actions the app user gave your app explicit permission to.
Requirements	Create a payment profile first via the Web app: Profiles overview, or using the Profiles API.	None.	Create an application, then have a user authorize your app to access their account data. See Mollie Connect for more information.
Test mode	API keys come in pairs. Use the Test API key for test mode.	Use the `testmode` parameter in your request. Optionally: can be limited to a specific API mode	Use the `testmode` parameter in your request.
Create via	Web App: Advanced Access tokens	Web App: Advanced access tokens	OAuth authorization flow