Communication API differs from other integration points in that it is not hosted by us, but by you - built to a specification provided by Shaype. This API defines a set of webhooks that we will call to notify you about various platform events, like card transactions or customer details changes. This also means that it will be us authenticating against your endpoints.

We currently support two authentication schemes: Long-living Bearer token, and OAUTH2.

Long-living Bearer token

When this scheme is selected, you will provide us with a long-living authentication token that we will configure in Shaype platform, and will be sending with our notification requests as an Authentication: Bearer HTTP header.

OAUTH2

When this scheme is selected, you will have to provide us with OAUTH2 access token endpoint and necessary grant. We currently support client_credentials and refresh_token grant types. We will call the token endpoint and use the returned access token when sending our notification requests as an Authentication: Bearer HTTP header.

The table below outlines configurable options on our end that allow flexibility when integrating with your OAUTH2 infrastructure.

Setting	Description	Example
Auth host	The token retrieval endpoint	https://your.auth.host.com/oauth/token
Webhook host	The base URL for webhook endpoints hosted by you. The events will be sent to the Webhook host followed by `/api/hay/v0/communications/email`, `/api/hay/v0/communications/notifications` and `/api/hay/v0/communications/sms`	https://your.comms.host.com/shaype/events
Secret	Shared grant of `client_credentials` or `refresh_token` type
Client ID	The client ID that you assign to Shaype
Refresh time (seconds)	Determines the lifetime of access token received from the token endpoint (in seconds)	82800 (23h)
Grant type	Grant type we should pass to the token retrieval endpoint	`client_credentials` or `refresh_token`
Audience	Optional audience type we should pass to the token retrieval endpoint
Encoding type	Determines how the parameters passed to the token retrieval endpoint should be encoded. Possible options: Url-encoded form JSON body