Finqware API
  • Quick start
  • Overview
    • Skills
    • Servicers
    • Tenants
    • Security model
      • Tenant-level elements
      • User-level elements
  • Dev guide
    • Intro
    • User onboarding
      • Detailed flow
    • Consuming data
      • About caching
    • Designing a tenant app
      • The back-end
      • The front-end
    • Signing API requests
      • RS256 infrastructure
      • Computing the digest
      • Signing HTTP requests
  • API
    • Sessions
    • Tokens
    • Accounts
    • Balances
    • Transactions
    • Payments
    • Consents
    • Catalogs
    • Errors
Powered by GitBook
On this page
  1. Overview

Security model

PreviousTenantsNextTenant-level elements

Last updated 3 years ago

The Finqware API is protected by a number of keys and tokens.

It is important to follow the best practice around where it's safe to store/use them. You can make an API call from a web application using the client_id, but use an access_token only from your server-side code. Currently, a generally accepted opinion among security experts is that you cannot safely store secrets in a client application (web or mobile code).

Besides the API keys listed here, the /v1s is an extra secured endpoint (recommended for production) that requires message digest & signing - please check the details .

Token/key
Client
Description

client_id

yes

An identifier for a tenant app

client_secret

no

A secret generated for each tenant app

client_app_key

yes

Used to initate a user session

temp_token

yes

A temporary token that can be exchanged for an access_token

credentials_id

no

A consent record that points to user data (eg: a bank account, an insurance)

access_token

no

A permanent token authorizing access to user data

here