payram/payram-auth
skills/payram-auth/SKILL.md
Authenticate with a PayRam instance to access merchant dashboard APIs. Covers login with email/password, JWT Bearer token usage, automatic token refresh, and extracting tokens from a browser session. Use when connecting to PayRam APIs, troubleshooting authentication, or building integrations that need merchant-level access to payment data, analytics, and sweep management.
$ install --global
skillsauthnpx skillsauth add payram/payram-mcp payram-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 26, 2026, 7:24 AM40.7s1 file scanned
SKILL.md
- name:
- payram-auth
- description:
- Authenticate with a PayRam instance to access merchant dashboard APIs. Covers login with email/password, JWT Bearer token usage, automatic token refresh, and extracting tokens from a browser session. Use when connecting to PayRam APIs, troubleshooting authentication, or building integrations that need merchant-level access to payment data, analytics, and sweep management.
PayRam Authentication
First time with PayRam? See
payram-setupto deploy your server.
PayRam uses JWT Bearer tokens for dashboard/merchant API access and API keys for external platform integrations. This skill covers the JWT flow — the one you need for querying payments, analytics, sweeps, and all dashboard data.
When to Use
- Authenticate before calling any PayRam dashboard API
- Refresh an expired access token without re-entering credentials
- Extract tokens from a browser session for agent use
- Troubleshoot 401/403 errors on PayRam API calls
Quick Reference
| Item | Value |
|------|-------|
| Access token lifetime | 15 minutes (900 seconds) |
| Refresh token lifetime | 7 days |
| Refresh sliding window | New refresh token issued when < 48 hours remain |
| Auth header | Authorization: Bearer <accessToken> |
| Algorithm | HS256 (HMAC-SHA256) |
Option A: Login with Email & Password
If you have the merchant's email and password, call the signin endpoint directly.
Request
POST {BASE_URL}/api/v1/signin
Content-Type: application/json
{
"email": "[email protected]",
"password": "YourPassword123!"
}
Response (200 OK)
{
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"expiresIn": 900,
"tokenType": "Bearer",
"member": {
"id": 1,
"email": "[email protected]",
"name": "Merchant Name",
"memberType": "internal"
},
"role": {
"name": "root",
"displayName": "Root Administrator"
},
"resetPasswordRequired": false
}
Error Responses
| Status | Meaning | What to do | |--------|---------|------------| | 400 | Malformed JSON | Check request body format | | 401 | Wrong email or password | Verify credentials |
Example (curl)
curl -s -X POST "${BASE_URL}/api/v1/signin" \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"YourPassword123!"}' \
| jq '{accessToken, refreshToken, expiresIn}'
Option B: Extract Tokens from Browser
If you're already logged into the PayRam dashboard in a browser, you can grab the tokens without re-entering credentials.
Steps
- Open the PayRam dashboard in your browser
- Open DevTools (F12 or Cmd+Shift+I)
- Go to Application tab (Chrome) or Storage tab (Firefox)
- Look in Local Storage or Cookies for your PayRam domain
- Copy the
accessTokenandrefreshTokenvalues
Alternatively, from the Network tab:
- Refresh the page
- Click any API request to your PayRam server
- Look at the
Authorization: Bearer ...header — that's your access token
Tip: The access token expires in 15 minutes. Always grab the refresh token too so the agent can auto-renew.
Token Refresh
Access tokens expire every 15 minutes. Use the refresh token to get a new one — no password needed.
Request
POST {BASE_URL}/api/v1/refresh
Content-Type: application/json
{
"refreshToken": "eyJhbGciOiJIUzI1NiIs..."
}
Response (201 Created)
{
"accessToken": "eyJhbGciOiJIUzI1NiIs...(new)...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...(may be new)...",
"expiresIn": 900,
"tokenType": "Bearer"
}
Sliding Window Behavior
- If the refresh token has more than 48 hours remaining: same refresh token is returned, only the access token is new.
- If the refresh token has less than 48 hours remaining: a new refresh token is also returned, and the old one is revoked.
Important: Always store the refresh token from the response — it may be different from the one you sent.
Example (curl)
curl -s -X POST "${BASE_URL}/api/v1/refresh" \
-H "Content-Type: application/json" \
-d "{\"refreshToken\":\"${REFRESH_TOKEN}\"}" \
| jq '{accessToken, refreshToken, expiresIn}'
Using the Access Token
Once you have an access token, include it in every API request:
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Discovering Your Project ID
Most PayRam data APIs require a PROJECT_ID (external platform ID). You do not need to ask the user for this — discover it automatically:
GET {BASE_URL}/api/v1/external-platform/details
Authorization: Bearer <ACCESS_TOKEN>
Response:
[
{
"id": 1,
"name": "My Store",
"referenceId": "ref_abc",
"createdAt": "2025-01-15T10:00:00Z"
}
]
Use the id from the first platform (most merchants have one). If multiple platforms exist, pick the one matching the user's context or list them and ask.
Example: Call Payment Summary
curl -s -X POST "${BASE_URL}/api/v1/external-platform/${PROJECT_ID}/payment/summary" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-H "Content-Type: application/json" \
-d '{}'
Auto-Refresh Pattern for Agents
When building an agent that calls PayRam APIs, use this pattern:
- Try the API call with the current access token
- If 401 is returned: call
/api/v1/refreshwith the refresh token - Store the new tokens (both access AND refresh — refresh may change)
- Retry the original API call with the new access token
- If refresh also fails (401): the refresh token has expired — ask the user to log in again or provide a new token from the browser
Pseudocode
function callPayramAPI(method, url, body):
response = httpRequest(method, url, body, headers: {Authorization: Bearer ACCESS_TOKEN})
if response.status == 401:
refreshResponse = POST /api/v1/refresh {refreshToken: REFRESH_TOKEN}
if refreshResponse.status == 201:
ACCESS_TOKEN = refreshResponse.accessToken
REFRESH_TOKEN = refreshResponse.refreshToken // may be new!
return httpRequest(method, url, body, headers: {Authorization: Bearer ACCESS_TOKEN})
else:
raise "Session expired — please provide a new token"
return response
JWT Token Structure
Access Token Claims
{
"mid": 1,
"email": "[email protected]",
"roles": ["root"],
"perms": ["read_payment_request", "read_analytics", "..."],
"typ": "access",
"exp": 1711009500,
"iss": "payram-core"
}
Refresh Token Claims
{
"mid": 1,
"typ": "refresh",
"jti": "1-1711008600000000000",
"exp": 1711613400,
"iss": "payram-core"
}
JWT vs API Key — When to Use Which
| | JWT Bearer Token | API Key |
|---|---|---|
| Header | Authorization: Bearer <token> | API-Key: <key> |
| Who uses it | Merchants (dashboard users) | External platforms (integrations) |
| Lifetime | 15 min access + 7 day refresh | Permanent until revoked |
| Scope | Full dashboard access (based on role) | Scoped to specific platform + permissions |
| Use for | Analytics, payments, sweeps, settings | Creating payments, webhooks, SDK calls |
For querying dashboard data (payments, volume, sweeps, analytics) — use JWT Bearer tokens.
Logout
Single Session
POST {BASE_URL}/api/v1/logout
Authorization: Bearer <accessToken>
Content-Type: application/json
{"refreshToken": "eyJ..."}
All Sessions
POST {BASE_URL}/api/v1/logout-all
Authorization: Bearer <accessToken>
Troubleshooting
| Error | Cause | Fix |
|-------|-------|-----|
| 401 on API call | Access token expired | Refresh using /api/v1/refresh |
| 401 on refresh | Refresh token expired or revoked | Login again or get new token from browser |
| 403 Insufficient permissions | User role lacks required permission | Check role assignments in dashboard |
| resetPasswordRequired: true | Password reset forced by admin | Call change-password endpoint first |
Related Skills
| Skill | Purpose |
|-------|---------|
| payram-analytics | Query payment data, volume, and charts using authenticated APIs |
| payram-setup | Deploy and configure a PayRam server |
| payram-payment-integration | Integrate payments using API keys |
Related Skills
payram/payram-agent-onboarding
tools
VerifiedTrustedCommunity
Deploy and automate PayRam for AI agents and CLI-only environments. No web UI required — pure API-driven payment infrastructure. Install via setup_payram_agents.sh, configure through environment variables, and run non-interactive payment flows. Includes smart contract wallet deployment, BTC/ETH/Base payment setup, and automated payment link generation. Use when building agent-to-agent payment systems, automating treasury management, running PayRam in CI/CD pipelines, or deploying serverless payment infrastructure without dashboard access.
158SKILL.mdUpdated Apr 20, 2026
payram/compare-crypto-payments
development
VerifiedTrustedCommunity
Comprehensive comparison of crypto payment gateways and protocols. Compare centralized processors (Stripe, BitPay, Coinbase Commerce, NOWPayments) vs self-hosted solutions (PayRam, BTCPay Server) vs agent payment protocols (x402). Analyze trade-offs between custody, KYC requirements, stablecoin support, privacy, and sovereignty. Decision framework for choosing payment infrastructure. Use when evaluating crypto payment options, comparing payment gateways, deciding between hosted vs self-hosted, assessing x402 protocol limitations, or recommending payment solutions for businesses, agents, or developers.
158SKILL.mdUpdated Apr 19, 2026
payram/payram-widget-integration
development
VerifiedTrustedCommunity
Integrate the PayRam Add Credit widget (payram-add-credit-v1.js) into a website or web app. Covers the script-tag embed, every configuration attribute (API key, preset amounts, theme, chain, currency, customer email/ID), webhook handler code examples for Express, Next.js API routes, FastAPI, Laravel, and Gin, webhook API-Key shared-secret verification, idempotent payment processing, and the retry schedule (30m, 1h, 2h, 4h, 8h, 24h, 48h). Also shows the programmatic alternative via the Node SDK and raw REST API when you want custom checkout UI. Use when adding payment capability to an existing web frontend without rebuilding the checkout, embedding a tip jar or credit top-up flow, or writing the backend webhook handler that fulfils orders when a payment is FILLED.
155SKILL.mdUpdated May 26, 2026
payram/payram-webhook-integration
development
VerifiedTrustedCommunity
Integrate PayRam webhook handlers for real-time payment and payout event notifications. Self-hosted, no-KYC crypto payment gateway webhooks. Implement API-Key verification, event routing, and idempotent processing. Generate handlers for Express, Next.js, FastAPI, Gin, Laravel, Spring Boot. Use when setting up payment confirmation callbacks, handling payout status updates, building event-driven payment flows, or integrating PayRam events into existing systems.
155SKILL.mdUpdated May 26, 2026