Authorization header. Requests without a token, or with an expired or malformed token, are rejected before they reach any endpoint. Tokens are JSON Web Tokens (JWTs) issued by Cleo Pay — they encode your identity and permissions and are verified server-side on every call.
Sending the Authorization header
Add the following header to every API request:<your_token> with the JWT you received from Cleo Pay.
curl example
Request with a JSON body
When sending a request body (e.g. creating a payment), includeContent-Type: application/json alongside the Authorization header:
Token format
Cleo Pay tokens are JWTs (JSON Web Tokens), a standard format consisting of three Base64URL-encoded segments separated by dots:header.payload.signature. The payload contains your tenant identity and permission scopes. You do not need to parse the token yourself — simply forward it in the header as-is.
Tokens have an expiration time encoded in their payload (exp claim). If your token expires, requests will return a 401 Unauthorized error. Obtain a fresh token and retry.
Error responses
401 Unauthorized
Returned when the token is missing, malformed, or expired.Authorization: Bearer <token> header and that your token has not expired.
403 Forbidden
Returned when the token is valid and authenticated, but does not have permission to perform the requested action.Security best practices
Next steps
- Follow the Quickstart to make your first authenticated API call end to end.
- Read about Payments to understand what you can do once you’re authenticated.