The APIs use industry standard OAuth2 for authentication. Most users find success with one of the libraries on the OAuth2 website. The following URLs can be used when using an off-the-shelf OAuth2 library:
EnvironmentRoot URLFull Path
Sandboxhttps://oauth.sandbox.paxos.comhttps://oauth.sandbox.paxos.com/oauth2/token
Productionhttps://oauth.paxos.comhttps://oauth.paxos.com/oauth2/token

➊ Add Scopes (Client Permissions)

When authenticating, include the scopes (Client Permissions) necessary for the client to complete the intended actions.
Scopes for each endpoint are listed in the Authorizations section in the API Reference docs. The Market Data and most Pricing endpoints do not require authorization.
For example, the following scopes (space delimited) should provide sufficient permissions to mint, redeem, and convert Paxos-isssued stablecoins: 
conversion:read_conversion_stablecoin
conversion:write_conversion_stablecoin
funding:read_profile
funding:write_profile
transfer:read_deposit_address
transfer:read_transfer
transfer:read_fiat_account
transfer:read_fiat_deposit_instructions
transfer:write_internal_transfer
transfer:write_crypto_withdrawal
transfer:write_deposit_address
transfer:write_fiat_account
transfer:write_fiat_deposit_instructions
transfer:write_fiat_withdrawal

➋ Get Access Token

Every endpoint that requires a Scope must be accompanied by an “Authorization” header with a value that follows the \"Bearer {access_token}" schema.

Sandbox

To authenticate with https://oauth.sandbox.paxos.com/oauth2/token, use your credentials to create a bearer token. The authentication request must include {client_id} (Client ID) and {client_secret} (Client Secret) configured for your API credentials. Include sufficient {client_scopes} (Client Permissions). 
curl --location 'https://oauth.sandbox.paxos.com/oauth2/token' \
--form grant_type=client_credentials \
--form client_id={client_id} \
--form client_secret={client_secret} \
--form scope='{client_scopes}'

Production

To authenticate with https://oauth.paxos.com/oauth2/token, use your credentials to create a bearer token. The authentication request must include the {client_id} (Client ID) and {client_secret} (Client Secret) configured for your API credentials. Include sufficient {client_scopes} (Client Permissions). 
curl --location 'https://oauth.paxos.com/oauth2/token' \
--form grant_type=client_credentials \
--form client_id={client_id} \
--form client_secret={client_secret} \
--form scope='{client_scopes}'
Confirm the response includes the requisite scopes and save the access_token to use in the request authorization header (-H "Authorization: Bearer {access_token}"). 
{
 "access_token": "{access_token}",
 "expires_in": 3599, // Seconds (59 Minutes and 59 Seconds)
 "scope": "{client_scopes}",
 "token_type": "bearer"
}
Once you have the access_token, make an API call in Sandbox.