app-id and secret-key, then include that token as a Bearer credential on every subsequent request. This page walks you through getting your credentials, requesting a token, and using it securely.
Before you start
You need an active Merchant Account and a linked site before you can generate credentials. Follow the Obtaining Integration Keys guide to complete that setup.Step 1: Obtain your credentials
1
Log in to the Merchant Portal
Open the portal for your target environment:
- Production: https://merchant.helloclever.co
- Sandbox: https://merchant.cleverhub.co
2
Create or open a linked site
Click + Link Site in the top-right corner and complete the wizard. Choose Custom APIs as the integration type for direct API access.
3
Copy your App ID and Secret Key
In the App ID & Key section of the site details, you will find:
- App ID (
app-id): a unique identifier for your linked site - Primary Secret Key (
secret-key): a confidential key used to authenticate requests
Step 2: Request an access token
Exchange yourapp-id and secret-key for a short-lived Bearer token by calling the access token endpoint.
Use the sandbox endpoint (
https://api.cleverhub.co) and sandbox credentials when developing or testing. Switch to the production endpoint only when you are ready to go live.Step 3: Authorise API requests
Include the access token in theAuthorization header of every API request:
Direct header authentication
Some endpoints — particularly the S2S Card API — acceptapp-id and secret-key directly as request headers instead of a Bearer token:
Special case: payment gateway link (JWT)
The/v1/payment_gateways/create_payment endpoint requires a JWT token instead of an app-id and secret-key. This endpoint is designed for client-to-server calls, and the JWT is generated by Hello Clever’s servers. Refer to the v1 API reference for details.
Token expiry and refresh
Theexpires_in field in the token response is in seconds. When a token expires, repeat Step 2 to obtain a new one. Build your integration to handle 401 Unauthorized responses gracefully by refreshing the token and retrying the request.
Security best practices
- Store credentials in environment variables or a secrets manager, not in source code or configuration files checked into version control.
- Rotate your
secret-keyperiodically to limit the blast radius of a potential leak. - Use HTTPS for all API calls to ensure credentials and tokens are transmitted over an encrypted connection.
- Scope access by creating separate linked sites (and therefore separate credentials) for different environments or applications.
- Monitor for unexpected usage in the Merchant Portal to detect potential credential misuse early.