Security model

The Finqware API is protected by a number of keys and tokens.

It is important to follow the best practice around where it's safe to store/use them. You can make an API call from a web application using the client_id, but use an access_token only from your server-side code. Currently, a generally accepted opinion among security experts is that you cannot safely store secrets in a client application (web or mobile code).

Besides the API keys listed here, the /v1s is an extra secured endpoint (recommended for production) that requires message digest & signing - please check the details here.

Token/key	Client	Description
client_id	yes	An identifier for a tenant app
client_secret	no	A secret generated for each tenant app
client_app_key	yes	Used to initate a user session
temp_token	yes	A temporary token that can be exchanged for an access_token
credentials_id	no	A consent record that points to user data (eg: a bank account, an insurance)
access_token	no	A permanent token authorizing access to user data

Token/key

Client

Description

client_id

yes

An identifier for a tenant app

client_secret

A secret generated for each tenant app

client_app_key

yes

Used to initate a user session

temp_token

yes

A temporary token that can be exchanged for an access_token

credentials_id

A consent record that points to user data (eg: a bank account, an insurance)

access_token

A permanent token authorizing access to user data

PreviousTenants NextTenant-level elements

Last updated 2 years ago