# Autenticação
Obtenha e use access tokens da FaciConnect API (OAuth2 client credentials).
A FaciConnect API usa OAuth2 **client credentials**. O seu backend troca as credenciais do
parceiro por um `access_token` de curta duração e usa-o como Bearer token.
## Obter um token
```http
POST {baseUrl}/token
Authorization: Basic base64(CLIENT_ID:CLIENT_SECRET)
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&validity_period=3600
```
Resposta:
```json
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
"token_type": "Bearer",
"expires_in": 3600
}
```
## Exemplo
```js Node.js
const basic = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64');
const res = await fetch(`${API_URL}/token`, {
method: 'POST',
headers: {
Authorization: `Basic ${basic}`,
'Content-Type': 'application/x-www-form-urlencoded',
},
body: 'grant_type=client_credentials&validity_period=3600',
});
const { access_token } = await res.json();
```
```bash curl
curl -X POST "$API_URL/token" \
-H "Authorization: Basic $(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&validity_period=3600"
```
```python Python
import base64, requests
basic = base64.b64encode(f"{CLIENT_ID}:{CLIENT_SECRET}".encode()).decode()
res = requests.post(
f"{API_URL}/token",
headers={
"Authorization": f"Basic {basic}",
"Content-Type": "application/x-www-form-urlencoded",
},
data={"grant_type": "client_credentials", "validity_period": 3600},
)
access_token = res.json()["access_token"]
```
## Cache do token
Faça cache do token em memória e renove-o ~60s antes de expirar. Evite pedir um token novo a
cada chamada.
```js
let cachedToken = null;
async function getAccessToken() {
if (cachedToken && cachedToken.exp > Date.now()) return cachedToken.value;
const token = await requestNewToken();
cachedToken = { value: token.access_token, exp: Date.now() + (token.expires_in - 60) * 1000 };
return cachedToken.value;
}
```
## Usar o token
```http
POST {baseUrl}/facipaypartner/createPaymentOrder
Authorization: Bearer
Accept-Language: pt
Content-Type: application/json
```
O `clientSecret` **nunca** pode aparecer no frontend. Este fluxo corre **só no backend**.
Receber e verificar notificações de estado.