Skip to main content

Authentication - Single Sign-on (SSO)

Before completing authentication, ensure that the GTR server authenticates incoming requests by verifying the bearer token in the Authorization header. To generate the bearer token, follow the steps below.

How to build authentication payload

Fill the following JSON format using the information from your api_key.csv file above.

{
  "vaspCode": "f93_faj30ae3",
  "accessKey": "2DF9SDJ3RFA93HFA0F93HAB0S93F",
  "signedSecretKey": "6bbb4d21bdb8a0720f9b9850b96b1110c3bcab725d4e829722581461d4ee3cd8f9431e4f4d90c739328d03a04f6280067a1e30de258a85755f214d2942d42b21",
  "expireInMinutes": 86400
}
  • Please note that signedSecretKey is the SHA-512 hash of your secret_key.
  • expireInMinutes is an option setting that expires the token after 86,400 minutes (60 days). If left empty, the token will not expire except when you invoke logout or change the API key.

Refer to .csv file, and assume the example secret_key is:

DFSD0JFN43SGNDSPIAN30IHSIDFN0SAR3BNFA0ISFNBI0N3RNFWE0F

After applying SHA-512 hashing, the result will be:

6bbb4d21bdb8a0720f9b9850b96b1110c3bcab725d4e829722581461d4ee3cd8f9431e4f4d90c739328d03a04f6280067a1e30de258a85755f214d2942d42b21

Get access token with login API

Send the request to the GTR server to get a login response.

We will show the shell example script to get login. You need to implement the login method in your service program.

curl --location --request POST 'https://platform.globaltravelrule.com/api/login' \
-k --cert-type P12 --cert ./certificate.p12:'[MY_PASSWORD_OF_CERT]' \
--header 'Content-Type: application/json' \
--data-raw '{
    "vaspCode": "f93_faj30ae3",
    "accessKey": "2DF9SDJ3RFA93HFA0F93HAB0S93F",
    "signedSecretKey": "6bbb4d21bdb8a0720f9b9850b96b1110c3bcab725d4e829722581461d4ee3cd8f9431e4f4d90c739328d03a04f6280067a1e30de258a85755f214d2942d42b21"
}'
  • You are required to use the certificate.p12 file in conjunction with your personal password when sending a request to the GTR login endpoint.

This password is set up as per the instructions in the

About mTLS chapter. It will be used to secure the private key and the signed certificate pair file.

MY_PASSWORD_OF_CERT

Upon successful login, you will receive a response similar to the following example:

{
  "data": {
    "jwt": "eyJWTTokenblablabla",
    "vaspCode": "f93_faj30ae3"
  },
  "verifyMessage": "success",
  "verifyStatus": "100000",
  "success": true
}

The data.jwt token will be the Bearer Token that you use to send any request to the GTR server.

About API access token

To access the business API corresponding to the GTR server, the JWT Bearer token issued after successful login needs to be carried.

  • GTR API access token

    • The business system calls the GTR API and requires the header to carry the JWT token, corresponding to the KEY-VALUE format.

      KEY: Authorization

      VALUE: "Bearer" + space + JWT_TOKEN

Here is an example of how you will later use the JWT to send the request to check the current login status:

curl --silent --location --request GET "https://platform.globaltravelrule.com/api/status" \
    -k --cert-type P12 --cert ./certificate.p12:'[MY_PASSWORD_OF_CERT]' \
    --insecure \
    --header 'Content-Type: application/json' \
    --header "Authorization: Bearer eyJWTTokenblablabla" \
    --header "Connection: keep-alive"

Reference

Copyright (C) 2025 Global Travel Rule. All Rights Reserved
General
About
FAQ
Contact
Developer
Documentation
Legal
Terms of Use
Privacy Policy