# Autenticação Obtenha e use access tokens da FaciConnect API (OAuth2 client credentials). A FaciConnect API usa OAuth2 **client credentials**. O seu backend troca as credenciais do parceiro por um `access_token` de curta duração e usa-o como Bearer token. ## Obter um token ```http POST {baseUrl}/token Authorization: Basic base64(CLIENT_ID:CLIENT_SECRET) Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&validity_period=3600 ``` Resposta: ```json { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...", "token_type": "Bearer", "expires_in": 3600 } ``` ## Exemplo ```js Node.js const basic = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64'); const res = await fetch(`${API_URL}/token`, { method: 'POST', headers: { Authorization: `Basic ${basic}`, 'Content-Type': 'application/x-www-form-urlencoded', }, body: 'grant_type=client_credentials&validity_period=3600', }); const { access_token } = await res.json(); ``` ```bash curl curl -X POST "$API_URL/token" \ -H "Authorization: Basic $(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&validity_period=3600" ``` ```python Python import base64, requests basic = base64.b64encode(f"{CLIENT_ID}:{CLIENT_SECRET}".encode()).decode() res = requests.post( f"{API_URL}/token", headers={ "Authorization": f"Basic {basic}", "Content-Type": "application/x-www-form-urlencoded", }, data={"grant_type": "client_credentials", "validity_period": 3600}, ) access_token = res.json()["access_token"] ``` ## Cache do token Faça cache do token em memória e renove-o ~60s antes de expirar. Evite pedir um token novo a cada chamada. ```js let cachedToken = null; async function getAccessToken() { if (cachedToken && cachedToken.exp > Date.now()) return cachedToken.value; const token = await requestNewToken(); cachedToken = { value: token.access_token, exp: Date.now() + (token.expires_in - 60) * 1000 }; return cachedToken.value; } ``` ## Usar o token ```http POST {baseUrl}/facipaypartner/createPaymentOrder Authorization: Bearer Accept-Language: pt Content-Type: application/json ``` O `clientSecret` **nunca** pode aparecer no frontend. Este fluxo corre **só no backend**. Receber e verificar notificações de estado.