Skip to main content
Skip table of contents

Katalys ⇠ Merchant

From the Integration to Katalys

The Sandbox Katalys GraphQL API is available at


In order to access non-public resources, requests must be authenticated using PASETO tokens.

When generating a token you must satisfy the following requirements:

  • It must specify the v2 version.

  • It must specify the local purpose.

  • It must have a payload containing at least an exp (Expiration) key and an iat (Issued At) key. For example: {"exp": "2022-01-23T23:50:07Z", "iat": "2022-01-23T23:45:07Z"} The above payload specifies that the token was issued on Jan 23rd, 2022 at 23:45 UTC and will expire on the same date at 23:50 UTC. Tokens are short-lived, so set the time to 5 minutes in the future (like in the example) or another reasonably short window.

  • Must have a footer containing a kid key, for example: {"kid": "KEY_ID"} where KEY_ID is the API key ID you received from Katalys.

  • Must be signed with the shared secret that you received from Katalys together with the key ID.

To generate your first token, follow this guide:

A token generated as described above must be passed as a bearer token in the Authorization HTTP header when making the request:

Authorization: Bearer YOUR_GENERATED_TOKEN

When the header is correctly set you should be allowed to make authenticated GraphQL requests. Here is an example request to access an order (select the fields that you actually need):

query Example {
  order(id: "008aef35-d31b-4340-a0ee-b25a3718a672") {
    lineItems {
      product {

See also

Example: generating a PASETO token
Katalys ⇢ Merchant

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.