Authentication for FinHub API Integration Environment
customerId
and customerSecret
) are pre-configured during onboardingNote: Unlike the Playground environment, client credentials (customerId
andcustomerSecret
) are not included in the request body as they are pre-configured during onboarding.
Header | Description | Required | Example |
---|---|---|---|
Content-Type | Media type of the request body | Yes | application/json |
sec-ch-ua-platform | Client platform information | Yes | Windows |
X-Forwarded-For | Client IP address | Yes | 127.0.0.1 |
User-Agent | Client user agent information | Yes | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
X-Tenant-ID | Tenant identifier for multi-tenant operations | Yes | 1234567 |
Parameter | Description | Required | Source |
---|---|---|---|
username | Integration username | Yes | Provided in integration onboarding |
password | Integration password | Yes | Provided in integration onboarding |
accountType | Type of account (b2b or b2c) | Yes | Based on your integration type |
grantType | OAuth2 grant type (password, client_credentials, etc.) | Yes | Based on your integration flow |
Important: Client credentials (customerId
andcustomerSecret
) are securely configured during the integration onboarding process and are not included in API requests. These credentials are only shared with authorized company representatives and are used internally by the Sandbox Backend to authenticate with the API Gateway.
Parameter | Description | Usage |
---|---|---|
expires_in | Token expiration time in seconds | Use to determine when to refresh authentication |
token_type | Type of token (always “Bearer”) | Required for Authorization header format |
scope | Scope of access granted | Identifies the permissions granted |
customerId | Unique identifier for the customer | Reference in customer-related operations |
tenantId | Identifier for the tenant | Used for multi-tenant operations |
userSessionToken | JWT token for user session validation | Used for session validation and contains user identity claims |
Note: The JWT token (userSessionToken
) contains an internal cache key that the Sandbox Backend uses to retrieve and cache the actual Bearer token for API Gateway requests. This internal mechanism is transparent to clients and ensures that access tokens are never exposed directly. In the Integration environment, this key is linked to the pre-configured client credentials established during onboarding.
Important Note: When you authenticate, the system generates an access token internally that is used to access backend services. This token has an expiration time specified by theexpires_in
parameter. If your API requests start receiving401 Unauthorized
errors with a message indicating that the access token has expired, you will need to authenticate again to obtain a new token. The access token is managed by the system and is not directly exposed to clients for security reasons.
Note: TheinternalTokenKey
is extracted from the claims in the JWT token (userSessionToken
). This key is used by the Sandbox Backend to identify and refresh the associated access token without requiring client credentials to be sent in the request. If the token has more than 10% of its validity time remaining, it will not be refreshed and the current validity will be provided in the response. Security: Token refresh requires authentication with a valid session token. The user in the authenticated session must match the user associated with the token being refreshed.
Feature | Playground | Integration |
---|---|---|
Token Expiration | Longer (10000s) | Standard (3600s) |
Grant Types | Limited | Full OAuth2 support |
Error Responses | Basic | Detailed with error codes |
Certificate Validation | Optional | Required |
Token Refresh | Not supported | Supported |
Error Code | Description | Solution |
---|---|---|
401 Unauthorized | Invalid credentials | Verify username, password, client ID, and client secret |
403 Forbidden | Insufficient permissions | Verify tenant ID and account permissions |
429 Too Many Requests | Rate limit exceeded | Reduce authentication frequency |
400 Bad Request | Invalid request format | Check request format and parameters |
500 Internal Server Error | Server-side error | Contact support with error details |
Client platform information
"Windows"
Client IP address
"192.168.1.1"
User credentials
The body is of type object
.
Authentication successful
The response is of type object
.