Authentication
Authentication against our Banking API is performed via an OAuth 2.0 client credentials grant flow.
Use the client credentials (ID and secret) provided to you during onboarding
to make a request to our /token
endpoint to generate an access_token
.
$ curl https://api.test.figurepay.com/oauth2/token \
-H 'Accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data "client_id=abc" \
--data "client_secret=xyz" \
--data "grant_type=client_credentials"
{
"access_token": "FOEtUHwg0das9PhsasVmgMGbZn7nWSgK"
}
The access_token
is then placed in an HTTP Bearer authentication header for
subsequent requests to our API.
$ curl https://api.test.figurepay.com/profiles \
-H 'Authorization: Bearer FOEtUHwg0das9PhsasVmgMGbZn7nWSgK'
...
An access_token
expires after one hour. Subsequent request will produce an HTTP 401 response until
your client application re-authenticates using the above /token
endpoint.
Client credentials are unique per environment. Please make sure you are using the right credentials with the right environment URL to successfully perform authentication.
Security Best Practices
Below are best practices for securely storing and managing your API credentials. It is important to consider that any lost or stolen API credentials can result in authorized access to your user's personal information, their accounts, and any entity associated with your program, so it's essential to keep your credentials secured.
If you suspect that your API credentials or an access_token has been leaked, please contact our support team immediately. We will temporarily deactivate your account access in order to prevent any further unauthorized access.
Client Credentials
Client credentials are long-lived API credentials that allow you to generate short-lived tokens for accessing our API.
Client credentials resemble a username and password. A Client ID can be freely shared but your client secret should never be shared. This includes storing the secret as plaintext through a version control system, as well as storing them in any web or mobile client application. Similarly, your secret should not be shared unencrypted over email or instant message.
Client credentials should only be accessible by your servers and always encrypted at-rest and in-transit over HTTPS.
When providing your client credentials to the /token
endpoint in exchange
for an access_token
, only provide the client secret via the POST body
to ensure encryption in-transit over SSL.
Access Tokens
Access tokens are opaque tokens used to authenticate your API requests. They are short-lived tokens that, if lost, will invalidate themselves on expiry.
Access tokens do not need to be persisted by your application as they are ephemeral. Similarly, access tokens should not be shared as plaintext in the same ways that your client secret shouldn't be shared.
Access tokens should only be transmitted over HTTPS and should be excluded from URL query parameters.