Authentication Methods

Visa Platforms Login uses Bearer token authentication for API access. This product requires specialized OAuth2 scopes and custom authentication setup procedures that differ from standard VDP x-pay token or two-way SSL methods.

OAuth2 Credentials and Scopes

Get your API Key and OAuth2 Credentials

OAuth2 client credentials with appropriate scopes must be established before any API calls. Production eligibility is limited to approved issuer banks with active Visa relationships and appropriate commercial agreements in place.

Obtain OAuth2 client credentials through the Visa Developer Portal project setup process. Ensure your project includes the Visa Platforms Login product with proper scope assignments based on your intended functionality.

Step 1: Identify Required Scopes

Configure OAuth2 scopes based on your integration requirements. Visa Platforms Login uses multiple specialized scopes:

USER_RW — User-level read/write operations
SYSTEM_USER_RW — System-level user read/write access
SYSTEM_USER_R — System-level user read-only access
EXTEND_USER_SESSION — Session management capabilities
USER_REGISTRATION_GUEST — Guest user registration (external)
USER_REGISTRATION_GUEST_INTERNAL — Guest user registration (internal)
USER-ATTRIBUTES_RW — User attributes read/write
SYSTEM_REMOVE_USER — Administrative user deletion
MIGRATE_USERS — Migration operations access
RE_VALIDATE_USER — User revalidation operations
openid — OpenID Connect integration

Step 2: Configure Client Credentials

Set up OAuth2 client credentials in your VDP project with the identified scopes. Different endpoints require different scope combinations based on the operations you intend to perform.

Generate and Use Bearer Tokens

Step 3: Obtain Access Token

Use the OAuth2 client credentials flow to obtain bearer access tokens. Token generation follows standard OAuth2 patterns but must include the appropriate Visa Platforms Login scopes.

Step 4: Configure Site ID

Site ID configuration in the GMAP system is required before site-specific operations. Authentication varies by siteId parameter, and site-specific data requires proper site configuration.

Step 5: Generating the Bearer Token

Generate OAuth2 bearer tokens using your configured client credentials and required scopes. Token requests must specify the appropriate scope combinations for your intended API operations.

Bearer tokens follow standard OAuth2 format but must include Visa Platforms Login-specific scopes. Token lifetime and refresh patterns follow standard OAuth2 conventions.

Step 6: Constructing the HTTP Header


Authorization: Bearer {your_access_token}
Content-Type: application/json
clientId: {your_client_id}

The clientId header is required for guest enrollment operations and other partner-specific functionality. Other endpoints may require additional headers based on role-based access requirements.

Step 7: Test OAuth2 Bearer Token Connectivity

Test authentication setup using the simplest GET endpoint to validate token configuration before attempting complex operations.

Use GET /user/find with a valid user token to confirm OAuth2 setup is working correctly. This endpoint validates authentication and basic connectivity without requiring complex payload construction.

Common authentication issues stem from incorrect scope configuration or site ID setup rather than token generation problems. Verify scope assignments match your intended endpoint usage patterns.

Environment Notes

Sandbox: OAuth2 scopes and site domains are restricted to test values. Site domains use rvcom-qa.visa.com variants.
Certification: Full scope testing available with review.visa.com domain variants.
Production: All scopes available with www.visa.com country-specific domain variants. Requires approved issuer relationship.

Authentication behavior is consistent across environments, but site domain restrictions and available scopes vary by environment level.