Mozarto - The Payments Orchestration Platform
    • 1. Introduction
    • 2. Quick Start
    • 3. Authentication
    • 4. Errors
    • 5. Redirect flow
      • Pay-In Flow
      • Pay-Out Flow
      • Webhook Setup
    • 6. Payment Providers (PSPs)
      • Overview
      • Brite
      • Cleo
      • Flexepin
      • ForumPay
      • Gigadat
      • Neosurf
      • Payone
      • Trust Payments
      • WorldPay
    • 7. Redirect Flow APIs
      • PayIn
        • Forumpay
        • Payone
      • PayOut
        • Forumpay
        • Payone
    • Schemas
      • TransactionData

    3. Authentication

    Authentication#

    The Mozarto Cashier API authenticates requests using a company JWT issued by the Mozarto back office.

    Required headers#

    Every Cashier API request (Pay-In, Pay-Out) must include:
    HeaderValueDescription
    AuthorizationBearer <company-jwt>Your company JWT - identifies your platform

    User context headers#

    One of the following headers is also required. Which one you send depends on your integration mode:
    HeaderWhen to use
    x-user-tokenSend a JWT containing the end user's details. Mozarto decodes it directly and uses the payload (email, first name, last name, etc.) as the user context - no callback to your platform.
    x-user-authorizationSend the end user's session token from your platform. Mozarto forwards it as the Authorization header when calling your configured User Auth URL to verify the user server-to-server.
    Send x-user-token when your platform issues a signed JWT with the user's details and you want to pass that data to Mozarto without a server-to-server callback. The value must be a valid decodable JWT - passing a plain string causes the request to hang and return a 504 timeout.
    Send x-user-authorization when you have a User Auth URL configured in Admin Center - API Credentials and want Mozarto to verify the user against your platform before processing the transaction.
    If neither header is present, the request is rejected with 401 Unauthorized.

    x-user-token payload structure#

    Mozarto decodes the JWT and reads the following fields directly from the payload:
    FieldTypeRequiredDescription
    userIdstringYesYour internal user identifier
    emailstringYesUser's email address
    firstNamestringYesUser's first name
    lastNamestringYesUser's last name
    phonestringYesUser's phone number
    countryCodestringYesISO country code (e.g. "GB", "DE")
    emailVerifiedstringNoVerified email address - used for email verification checks
    Example payload:
    {
  "userId": "user_123",
  "email": "john.doe@example.com",
  "firstName": "John",
  "lastName": "Doe",
  "phone": "+441234567890",
  "countryCode": "GB",
  "emailVerified": "john.doe@example.com"
}
    Sign the JWT using the Secret key from Admin Center - API Credentials. This is the same secret Mozarto uses to verify the token on every request.
    To generate a test token for development:
    1.
    Open https://jwt.io
    2.
    Paste the payload above into the Payload field
    3.
    Enter your Secret key from Admin Center - API Credentials into the Verify Signature field
    4.
    Copy the encoded value from the top panel
    In production, generate the JWT on your server using your platform's JWT library:
    Never hardcode the secret key in client-side code or version control. Store it as an environment variable on your server.

    Obtaining your company JWT#

    Your company JWT is generated by Mozarto and is available in the back office:
    Admin Center - API Credentials
    Copy the Token value from that page and use it as the Authorization: Bearer value on all Cashier API requests.
    The token has a long expiry and does not need to be refreshed regularly. If credentials are compromised, regenerate them from the same page - this invalidates all previously issued tokens for your company.

    Example request#

    Store both tokens as environment variables to avoid pasting them into every request. Add the following variables in your HTTP client (Apidog: Environments - Edit, Postman: Environments - Add):
    VariableValueUsed in
    COMPANY_TOKENYour company JWT from Admin Center - API CredentialsAuthorization header on every request
    USER_TOKENA signed JWT containing the end user's details, signed with your Secret keyx-user-token header on every request
    SECRET_KEYYour Secret key from Admin Center - API CredentialsSigning x-user-token JWTs on your server
    Reference them in your request headers:
    Authorization: Bearer {{COMPANY_TOKEN}}
x-user-token: Bearer {{USER_TOKEN}}
    USER_TOKEN must be a valid signed JWT with a non-empty payload. An empty-payload token ({}) passes the format check but provides no user context - Mozarto will not be able to identify the user. The payload must contain the user's details (email, name, etc.) as defined by your platform. Passing a plain string instead of a JWT causes the request to hang and return a 504 timeout.
    For curl, export both as shell variables:

    Errors#

    HTTP StatusMeaning
    401 UnauthorizedToken missing, invalid, or expired
    403 ForbiddenPassword expired - user must change password

    Security#

    Never expose your company JWT in client-side (browser) code.
    All Mozarto API calls must be made from your server.
    If credentials are compromised, regenerate them immediately from Admin Center - API Credentials.
    Modified at 2026-05-08 07:16:55
    Previous
    2. Quick Start
    Next
    4. Errors
    Built with