Mozarto - The Payments Orchestration Platform
    • 1. Introduction
    • 2. Quick Start
    • 3. Authentication
    • 4. Webhook Setup
    • 5. Errors
    • 6. Redirect flow
      • Pay-In Flow
      • Pay-Out Flow
    • 7. Payment Providers (PSPs)
      • Overview
      • Brite
      • Cleo
      • Flexepin
      • ForumPay
      • Gigadat
      • Neosurf
      • PayOne
      • Trust Payments
      • Worldpay
      • Emerchantpay
    • 8. Redirect Flow APIs
      • Redirect Flow APIs - overview
      • Pay-In
        • WorldPay
        • Forumpay
        • Payone
        • Gigadat
        • Flexepin
        • Trust
      • Pay-Out
        • Forumpay
        • Payone
        • Gigadat withdraw ETO
        • Gigadat withdraw ACH
      • Webhook
        • Payone status webhook
    • Schemas
      • TransactionData

    3. Authentication

    Authentication#

    The Mozarto Cashier API authenticates requests using a company JWT issued by the Mozarto back office.

    Required headers#

    Every Cashier API request (Pay-In, Pay-Out) must include:
    HeaderValueDescription
    AuthorizationBearer <company-jwt>Your company JWT - identifies your platform

    User context headers#

    One of the following headers is also required. Which one you send depends on your integration mode:
    HeaderWhen to use
    x-user-tokenSend a JWT containing the end user's details. Mozarto decodes it directly and uses the payload (email, first name, last name, etc.) as the user context - no callback to your platform.
    x-user-authorizationSend the end user's session token from your platform. Mozarto forwards it as the Authorization header when calling your configured User Auth URL to verify the user server-to-server.
    Send x-user-token when your platform issues a signed JWT with the user's details and you want to pass that data to Mozarto without a server-to-server callback. The value must be a valid decodable JWT - passing a plain string causes the request to hang and return a 504 timeout.
    Send x-user-authorization when you have a User Auth URL configured in Admin Center - API Credentials and want Mozarto to verify the user against your platform before processing the transaction.
    If neither header is present, the request is rejected with 401 Unauthorized.

    x-user-token payload structure#

    Mozarto decodes the JWT and reads the following fields directly from the payload:
    FieldTypeRequiredDescription
    userIdstringYesYour internal user identifier
    emailstringYesUser's email address
    firstNamestringYesUser's first name
    lastNamestringYesUser's last name
    phonestringYesUser's phone number
    countryCodestringYesISO country code (e.g. "GB", "DE")
    emailVerifiedstringNoVerified email address - used for email verification checks

    How to create and sign JWT#

    Example payload:
    {
  "userId": "user_123",
  "email": "john.doe@example.com",
  "firstName": "John",
  "lastName": "Doe",
  "phone": "+441234567890",
  "countryCode": "GB",
  "emailVerified": "john.doe@example.com"
}
    Sign the JWT using the Secret key from Admin Center - API Credentials. This is the same secret Mozarto uses to verify the token on every request.
    To generate a test token for development:
    1.
    Open https://jwt.io
    2.
    Paste the payload above into the Payload field
    3.
    Enter your Secret key from Admin Center - API Credentials into the Verify Signature field
    4.
    Copy the encoded value from the top panel
    In production, generate the JWT on your server using your platform's JWT library:
    Never hardcode the secret key in client-side code or version control. Store it as an environment variable on your server.

    Obtaining your company JWT#

    Your company JWT is generated by Mozarto and is available in the back office:
    Admin Center - API Credentials
    Copy the Token value from that page and use it as the Authorization: Bearer value on all Cashier API requests.
    The token has a long expiry and does not need to be refreshed regularly. If credentials are compromised, request new credentials from or contact the Mozarto support team - reissuing credentials invalidates all previously issued tokens for your company.

    Example request#

    Store both tokens as environment variables to avoid pasting them into every request. Add the following variables in your HTTP client (Apidog: Environments - Edit, Postman: Environments - Add):
    VariableValueUsed in
    COMPANY_TOKENYour company JWT from Admin Center - API CredentialsAuthorization header on every request
    USER_TOKENA signed JWT containing the end user's details, signed with your Secret keyx-user-token header on every request
    SECRET_KEYYour Secret key from Admin Center - API CredentialsSigning x-user-token JWTs on your server
    Reference them in your request headers:
    Authorization: Bearer {{COMPANY_TOKEN}}
x-user-token: Bearer {{USER_TOKEN}}
    USER_TOKEN must be a valid signed JWT with a non-empty payload. An empty-payload token ({}) passes the format check but provides no user context - Mozarto will not be able to identify the user. The payload must contain the user's details (email, name, etc.) as defined by your platform. Passing a plain string instead of a JWT causes the request to hang and return a 504 timeout.
    For curl, export both as shell variables:

    Errors#

    HTTP StatusMeaning
    401 UnauthorizedToken missing, invalid, or expired
    403 ForbiddenPassword expired - user must change password

    Security#

    Never expose your company JWT in client-side (browser) code.
    All Mozarto API calls must be made from your server.
    If credentials are compromised, request new credentials from or contact the Mozarto support team immediately.
    Modified at 2026-06-15 11:39:16
    Previous
    2. Quick Start
    Next
    4. Webhook Setup
    Built with