Authentication
You must be a verified user to make API requests. You can authorize against the API with an OAuth access token.
OAuth access token
Currently, we are suporting 2 types of OAuth grant types.
1. Client Credentials:
The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources.
Usage: Used for App to App communication (If you want to access our API from your Backend/API's).
We will provide you with the OAuth clientId and clientSecret. With these details, by using client_credentials grant_type and get Access Token to call our API.
2. Auth Code Flow (with PKCE-Proof Key for Code Exchange):
The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token. PKCE is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.
Usage: Used in User to App communication (If you want to access our API from your frontend application).
For getting the Access Token, you need to login to our Authorization server (Ping) with grant_type authorization_code. If its an FI SSO login (Banks will have SSO connected to their own identity provider), we wont store any user details. If its not an SSO login, cdlx have to store user details at their end and assign user with appropriate roles. User details has to be provided by Banks.
Passing Access Token in headers
In your requests to our API, specify the access token in an Authorization header as follows:
1 | |
Example
1 | |