access token

An access token is an OAuth bearer token that enables a developer to access the AffiniPay Payment Platform and its APIs.

account ID

An account ID identifies each of a merchant’s accounts, which can include multiple credit and eCheck accounts. Every transaction applies to only one account, specified with its account ID. Merchants can see their account IDs in the AffiniPay web application.

AffiniPay Payment Platform

The AffiniPay Payment Platform enables professionals to process payments. It has a suite of APIs that developers use to integrate payment solutions into websites or applications.

AffiniPay web application

In the AffiniPay web application, developers can access the API keys needed to request information about the merchant’s account and public key.

The AffiniPay web application URL varies depending on which AffiniPay product you’re using:

API keys

AffiniPay provides each merchant with a public key that identifies that merchant to AffiniPay. AffiniPay also provides test- and live-mode secret keys that authenticate API requests made on that merchant’s behalf.

API keys are available in the My Website section of the AffiniPay web application. Go to:

If you are a partner taking payments on behalf of a merchant, you received the merchant’s secret keys when you retrieved their payment gateway credentials.

authorized application

Authorized applications perform transactions on behalf of a merchant. The My Website authorized application in the AffiniPay web application is where the merchant’s public key can be found.

If a merchant accepts payments through an AffiniPay partner’s application (like a practice management, association administration, or donation management application), that application must also be on the merchant’s authorized applications list.


To help ensure only authorized users are making purchases, the major credit card networks, such as Visa, MasterCard, American Express, and Discover, provide Address Verification System (AVS) security checks. AffiniPay uses these security checks to validate credit card transactions like online payments.


A contact is an entity (representing a person or business organization) that acts within the AffiniPay Payment Portal system, such as the merchant that creates the invoice and the user who is associated with the invoice.


To help ensure only authorized users are making purchases, the major credit card networks, such as Visa, MasterCard, American Express, and Discover, provide Card Verification Value (CVV) security checks. AffiniPay uses these security checks to validate credit card transactions like online payments. CVV is often used for card-present retail transactions as well.


Electronic check (eCheck) payments move funds electronically between banks using routing and account numbers.


An invoice lists an amount to be paid by the client to the merchant. The merchant creates and sends an invoice from the partner’s application. When the user receives the email, they can click a link and pay the invoice in the AffiniPay payment portal. Portal payments are only available for partners to integrate into their applications.


A merchant is a business for whom payments are processed using the AffiniPay Payment Platform. Merchants can take payments for themselves; partners can take payments on behalf of their customers, who are AffiniPay merchants.

OAuth authorization code flow

The OAuth authorization code flow uses an authorization code grant to facilitate the OAuth 2.0 flow. The authorization code flow enables a partner’s customers (who are AffiniPay merchants) to give the partner’s application permission to perform operations on the merchant’s behalf.

See Connecting existing merchants.

OAuth client library

An OAuth client library enables you to run the OAuth authorization code flow and OAuth client credentials flow. Here’s a list of client libraries:

OAuth client credentials flow

The OAuth client credentials flow uses a client credentials grant to facilitate the OAuth 2.0 flow. The client credentials flow enables a partner to access protected API resources that don’t require a resource owner, in particular to submit a merchant application to AffiniPay. To do so, the partner’s application must acquire an access_token based on partner OAuth application credentials.

one-time payment token

A one-time payment token is obtained as a result of the tokenization process, where software running on the customer’s device securely exchanges sensitive payment details for an opaque token generated by the PCI DSS-compliant payment gateway. A one-time token can be used in transactions or to create a saved payment token. One-time tokens expire five minutes after creation.


A partner is a business that takes payments on behalf of an AffiniPay merchant.

partner OAuth application

Integrating an application with the AffiniPay system requires a partner OAuth application. An AffiniPay employee creates a partner’s first partner OAuth application.

A partner’s merchants must authorize the partner OAuth application to perform actions such as charge, refund, and void on their behalf through the OAuth authorization code flow.

Merchants can revoke a partner OAuth application’s access to their AffiniPay account at any time by logging in to the AffiniPay web application and removing their connection to the partner OAuth application.

payment token

A payment token is a payment method, such as a one-time payment token or a saved payment token like a saved card or bank. In a transaction, a payment token obscures the sensitive aspects of the payment details while providing an ID that may be used in any API that accepts card or bank details.

PCI compliance

Storing and transmitting cardholder data makes a business’s infrastructure a target for attacks, which is why any organization that processes credit card transactions must certify compliance with the Payment Card Industry Data Security Standard (PCI DSS).

AffiniPay maintains a Level 1 PCI certification, which requires annual audits, but we also encourage our security auditor to audit us randomly throughout the year. We pride ourselves in aspiring to a higher security standard than the minimum requirements of PCI compliance.

public key

A public key is the API key used to create tokens that secure the payment details sent to the AffiniPay Payment Gateway API. The public key is available in the My Website section of the AffiniPay web application.

saved payment token

A saved payment token is a payment token that provides a managed mechanism for supporting multiple payments over time. Saved payment methods are typically integrated into a site or application to support “remembered” payment details for users.

secret key

Secret keys are the API key issued to merchants and used to perform operations using the AffiniPay Payment Gateway API. Merchants should store their secret keys securely and keep their secret keys confidential so no one can run transactions without their permission.

Note: If you suspect your test- or live-mode secret keys have been compromised, contact AffiniPay immediately to reset your secret keys.

The secret key you specify when making an API request affects how the operation is processed.

Attempts to mix secret keys and accounts will fail.


Tokenization is the process of sending payment details (such as credit card and bank account numbers) to a secure PCI DSS-compliant payment gateway in exchange for a one-time token. The token can be used to make a payment, but it must be used along with the merchant’s secret key.

Here’s the tokenization flow:

  1. The cardholder enters payment details in a form and triggers a click event.
  2. The payment page responds to the click event and requests a payment token from the AffiniPay Payment Gateway.
  3. The AffiniPay Payment Gateway stores payment details and returns a token to the payment page.
  4. The payment page receives a payment token from the AffiniPay Payment Gateway and POSTs the token and amount to charge to the web server.
  5. The web server sends a charge request to the AffiniPay Payment Gateway API using the merchant’s secret key.
  6. The web server processes the response from the AffiniPay Payment Gateway and checks for any errors that have occurred.
  7. After the web server receives the transaction response from the web server, the payment page is updated.