Loyalty integration authentication


The authentication method described in this section is deprecated. The preferred authentication method for the Toast loyalty API is static API key authentication. For information about using static API authentication, see Authenticating outbound API requests.

You can verify that loyalty transaction requests are from the Toast platform by validating the JSON Web Token (JWT) in the header of every request. Each loyalty transaction request includes a JWT in the Authorization header field.

You can validate the JWT for a request with a public key that you get from the Toast API user management service.

You use the public key that matches the Toast environment that you are integrating with. For information about Toast API environments, see Environments.

  • For the production environment (real transactions) send a GET request to the following endpoint.

  • For the sandbox environment (testing transactions) send a GET request to the following endpoint.



The Toast technical partnership team supplies the host names for Toast API environments during your integration process.

Public keys

A Toast public key for partner API authentication is an X.509 Public Key encoded in DER in PEM format.

The following example shows the public key string in the JSON response from the /usermgmt/v1/oauth/token_key endpoint. The JSON value named value contains the public key string. The key string in this example is not functional.

Example Public Key for Partner API Authentication

   "value":"-----BEGIN PUBLIC KEY-----\nnub\nvwIDAhqhkiG9w0BAQEJ9tKko/3jXqdzI/NO4n3
Qc99xVQ8wlfrh4tp56yjRnub\nvwIDAQAB\n-----END PUBLIC KEY-----\n"


The /oauth/token_key endpoint returns a JSON object that contains multiple values. One of the values provides the public key string.


The alg value indicates the encryption algorithm used for the public key.


The value value includes the public key string. You can use the string supplied in the value value to validate the authentication tokens in a Toast platform loyalty transaction request.

Using the public key to validate JWTs

You can validate JSON Web Tokens (JWTs) using several libraries for common programming languages. For more information about working with JWTs, see https://jwt.io/. The JWT web site also includes a tool that you can use to verify a token manually.

Refreshing the public key

Typically, the Toast technical partnership team does not change the key pair used to sign JWTs. You can cache the public key that you get from the Toast API user management service. You do not need to get a new copy of the public key every time you verify an incoming request.

To maintain security, the technical partnership team may replace the key pair at any time. When the key pair changes, you must get a new public key from the user management service.

To make your integration more flexible when the technical partnership team replaces the key pair, get and cache a new copy of the public key each time you start your service. When the technical partnership team replaces the key pair, you can stop and restart your service to refresh the public key.