An access_token is a unique string of letters and numbers that is passed with every API call. WePay uses these tokens to verify that your application has authorization to make calls on behalf of your merchants.
When you include an access_token in an API call, we automatically know the API application and the WePay user for whom the call is being made. Each access_token is associated with:
- Your API application
- The merchant you’re making the call for
- The actions that user is allowed to take based on the permissions you’ve set
Access Token Security
access_tokens are private, so they should never be shared or passed as a GET or POST argument. You should never email your access_token to WePay or a third-party.