Admin Authentication
The Admin API uses a separate JWT from the merchant API. Obtain an admin token by calling the admin login endpoint:
POST https://olp-api.nipuntheekshana.com/v1/admin/auth/login
{
"email": "admin@openpay.com",
"password": "your_password"
}
Authorization: Bearer <admin_token>
Admin tokens are distinct from merchant tokens. A merchant Bearer token will not grant access to admin routes.
Role-Based Access Control (RBAC)
Admin users are assigned roles, and each role contains a set of permissions. The platform enforces RBAC on every admin endpoint — if the authenticated user’s role does not include the required permission, the API returns 403 FORBIDDEN.
| Concept | Description |
|---|
| Role | A named group of permissions (e.g., super_admin, support_agent) |
| Permission | A granular access right (e.g., merchants.approve, withdrawals.manage) |
Available Endpoint Groups
| Group | Description | Reference |
|---|
| Merchant Management | List, approve, reject, freeze, and terminate merchants | Merchant Management |
| Withdrawal Management | Review, approve, reject, and complete withdrawals | Withdrawal Management |
| Audit Logs | Query platform-wide and merchant-scoped audit trails | Audit Logs |
| Platform Settings | Configure payments, security, notifications, and more | Settings |
| User Management | Manage admin users and RBAC roles | User Management |
Error Handling
Admin endpoints follow the same error format as the rest of the API:
{
"error": {
"code": "FORBIDDEN",
"message": "You do not have permission to perform this action"
}
}
