(08) 6325 5761
Merion API

Getting Started

Base URL, authentication model, and how to request access for the Merion API hub.

Base URL

All API requests go to:

https://api.merion.com.au

The API uses HTTPS exclusively. HTTP requests are not accepted. The base URL is stable and versioning is handled via path prefix where relevant.

Authentication

The Merion API uses OpenID Connect (OIDC) for authentication. The authorisation server is auth.merion.com.au. All token operations follow the OpenID Connect Core 1.0 specification.

Token type

Bearer tokens are issued as signed JWTs using the ES256 algorithm (ECDSA with P-256 and SHA-256). The public signing keys are available via the JWKS endpoint in the OIDC discovery document: 

GET https://api.merion.com.au/.well-known/openid-configuration

PKCE

The authorisation code flow requires PKCE with S256 (Proof Key for Code Exchange, SHA-256 code challenge method). Plain code challenges are rejected. This applies to both the partner-facing and client-facing flows.

Sending a token

Include the bearer token in the Authorization header of every authenticated request: 

Authorization: Bearer <token>

Example:

curl -s \
  -H "Authorization: Bearer $TOKEN" \
  https://api.merion.com.au/partner/referrals

Token expiry

Access tokens are short-lived. Refresh tokens are issued for long-lived integrations. Use the expires_in field in the token response to determine when to refresh. Merion does not guarantee a specific expiry duration — treat the expires_in value as authoritative.

CORS policy

Cross-origin requests are accepted from Merion subdomains (*.merion.com.au) only. If you are building a browser-based integration hosted on your own domain, you will need to proxy API requests through your own server — direct browser calls to api.merion.com.au from third-party origins will be rejected by the browser CORS preflight.

Rate limiting

Rate limits apply per API key / token. The limits are not published; if your integration is rejected with 429 Too Many Requests, implement exponential back-off with jitter. The Retry-After header is included in 429 responses when available.

Requesting access

API access is available to approved partners and integrators only. To apply:

  1. Email [email protected] with the subject line "API Access Request".
  2. Briefly describe your use case, the integration you are building, and your relationship with Merion (partner, client, integrator).
  3. The Merion team will respond within two business days and initiate the partner onboarding flow if your use case is approved.
  4. Upon approval you will receive an OIDC client ID and the onboarding steps to complete the credential setup.

There is no self-service sign-up. All integrations are reviewed before credentials are issued.

Environments

Merion operates a single environment exposed at api.merion.com.au. A sandbox or staging environment may be made available to approved partners during integration development — ask your Merion contact during onboarding.

Support

See the Status & Support page for how to report issues and get help. For urgent API incidents, email [email protected] with "API Incident" in the subject line.

Get started

Ready to integrate with Merion?

API access is available to approved partners and integrators. Contact us to start the conversation — no commitment required.

Request access Read the docs