Getting Started

This section provides a summary of the steps required to get started implementing Deko on your website using both our APIs and our client-side library. Please review the steps below:


The integration of Deko Monthly requires both backend API and frontend client-side development in order to fully implement.


Getting Started contains everything you need to implement Deko Pay Monthly and can be adapted to meet most e-commerce requirements, but you can also view full details of the API schema in the latest Deko API Reference.

Please note: in the following steps all example curl commands are to show the format of the request and response, but use a dummy API hostname, which can be disregarded and replaced with the relevant UAT and Production credentials which we provide to you.

Getting Started | Initialise Deko Wallet | Show Finance Info | Start Checkout | Complete Checkout | Confirm Order

1. Obtain your Credentials

Your Client ID and Client Secret are provided during onboarding by Deko and are required in order to generate an access token for all steps listed in this section. Please check with your account manager for both UAT and Production (Live) credentials along with the actual Deko API hostnames for these environments. Details of current hostnames are available in the Environments section.


It is important that you keep these client credentials secure whether they are being transmitted within your organisation and on your devices, or implemented on your systems and servers.

You may be asked for the URL of your staging and live websites and these credentials may not work until these have been provided and configured in your Deko account.

2. Load Deko JS Bundle

The Deko integration requires a client-side step. You will need to load the Deko Javascript checkout bundle. The following script tag should be placed close to the end of the head tag in your main index file:

<script src="" type="application/javascript"></script>

3. Access Deko APIs

In order to prevent unauthorised access, you must authenticate all requests with an access token. To complete authentication, send an HTTP POST request to the auth endpoint, together with your credentials as the payload: client_id and client_secret. You can see a an example code snippet below:

curl -X 'POST' \
  '' \
  -H 'accept: application/hal+json' \
  -H 'Content-Type: application/hal+json' \
  -d '{
  "client_id": "YOUR CLIENT ID",
  "client_secret": "YOUR CLIENT SECRET"
    "access_token": "eyJhbGciOiJSUzI1aDFd45gcCI6IkpXVCIsImtpZCI6Imp6SXZmaU1HNkJqVEpUWGxkRlVwZSJ9.eyJpc3MiOiJodHRwczovL2Rla29wYXktbWVyY2hhbnQtZGV2LmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJwUUhyYkJLcnBOVG1MZ043UEpSVHpJM1JiT0hVZFY4ZEBjbGllbnRzIiwiYXVkIjoiaHR0cHM6Ly9hcGkuZGVrby11YXQuY29tIiwiaWF0IjoxNjQyNDk4MjI5LCJleHAiOjE2NDI1ODQ2MjksImF6cCI6InBRSHJiQktycE5UbUxnTjdQSlJUekkzUmJPSFVkVjhkIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.p9tisXjwPbOyZ7xodq34-oT3jopJSn7XIOgnzNbVEBsvNHQ94njSgUhv0RCDfSDEUoMEtqJXaR-TbS09dlB8HI1DO6EFRD4BaQ6HqFqoEM0Ad8elQDrN1DnUiR-ggh2Lh2BWgqK3ke2vz_1MYg4tBRlmRU0nGb1T4fMHKPHI7kxtgR_3C6thGQ_tK22QLEx4sRAPx5-KEWkiEh_OJvt6XH851KHO4uihr0ldNm_yIMayjn34c20HMRGUC869dzPsxTc3hb5X0KZ7X3M9PKqd2IFLgoYAKZBykp9xdP4RAL4TCyUjmSzKEXw1jFXDbaaJJOdHyzS2ogTR0XjFylLo-w",
    "expires_in": 84255,
    "token_type": "Bearer"

The POST request returns an access_token, which you should add in the Authorisation header of any API requests.

To protect our servers, this endpoint is rate limited. This auth token should be cached for the time specified in the 'expiresIn' field. This token can then be used on any further request to our API until its expiration without requesting a new auth token.