API console
Paste your stage merchant credentials and run live calls against Wink. Each operation routes through this portal's same-origin proxy to stagelogin-api.winkapis.com, so CORS won't get in the way.
How auth works here. Wink uses three auth schemes depending on the endpoint:
Basic clientId:secret
POST /wink/v1/session and a few merchant-only calls.
Basic clientId:sessionId
face / voice / lookup / merchant-config (Login host, single-use session per call).
Bearer sessionId
consent + a few session-scoped endpoints.
Bearer userAccessToken
profile / wallet / WinkPin / 2FA — needs a real user. Authenticate a test user (step 2) first.
Sessions are single-use, so the console mints a fresh one under the hood for each session-scoped call — you'll see a session-mint log row plus the operation row per Run. The user accessToken is reused until it expires.