Settle logoSettleRamp.
Documentationv3.2.0

Authentication

SettleRamp uses Bearer tokens for server-to-server API calls. Partners obtain an access token by exchanging client credentials and include it in the Authorization header of every request.

Important: Tokens are intended for server-side use only. Never expose credentials or tokens in frontend applications, browser code, or mobile clients.

Overview

The authentication flow follows three steps. Each step maps to a specific API endpoint.

1

Login with partner credentials

Use the /settle/api/settleid/auth/user/login endpoint to authenticate your partner account and obtain a login token.

2

Generate client credentials

Use the login token to call /settle/api/auth/generate-key and create a client_id and client_secret for API access.

3

Exchange for an API token

POST the credentials to /settle/api/auth/access. The response includes a Bearer token you will use on every subsequent call.

4

Call protected endpoints

Attach the token as an Authorization: Bearer <token> header to every API request.

Partner Login

Authenticate your partner account to obtain a login token. This token is used to call the Generate Key endpoint for client credentials provisioning.

POST{{_apiUrl}}/settle/api/settleid/auth/user/login

Headers

Content-Type: application/json

Request Body Fields

email, password, consumer

Note: This token is used to call Generate Key (client credentials provisioning).

Generate Key (Client Credentials)

This endpoint generates a new set of client credentials for an affiliate or partner, identified by their email address. You must use the token obtained from the Partner Login step.

POST{{_apiUrl}}/settle/api/auth/generate-key

Headers

Authorization: Bearer <partner_login_token>

Request Body Fields

email - the partner email address

Auth Access (Get API Token)

Exchange a client_id and client_secret for the API Bearer token. This token is used on all subsequent protected endpoint calls.

POST{{_apiUrl}}/settle/api/auth/access

Request Body Fields

client_id, client_secret

Using the Bearer Token

Include the token in the Authorization header of every request to a protected endpoint:

Authorization: Bearer {{_affiliate_api_token}}

Note: All calls must be made over HTTPS. Tokens are server-side only and must never be included in frontend applications or client-side code.

Security Practices

  • Secrets manager: Keep client_secret and tokens in a secrets manager -- never hard-code them in source files.

  • Separate credentials: Use different client_id / client_secret pairs for sandbox and production environments.

  • Rotate regularly: Rotate credentials periodically and revoke any that may have been exposed.

  • Request logging: Log request identifiers and partner transaction references for support and debugging.

  • Never share tokens: Do not include tokens in screenshots, logs, or client-side code. They are server-side only.

Next Steps

Onboarding - KYC

Submit identity data and track verification status for your customers.

Learn more

Deposit Orders

Create fiat-to-crypto deposit orders for approved customers.

Learn more

Webhooks

Listen for async lifecycle events such as order completion and KYC status changes.

Learn more