Authentication for FinHub API Playground Environment
customerId
and customerSecret
sent directly in the requestHeader | Description | Required | Example |
---|---|---|---|
Content-Type | Media type of the request body | Yes | application/json |
sec-ch-ua-platform | Client platform information | Yes | Windows |
X-Forwarded-For | Client IP address | Yes | 127.0.0.1 |
User-Agent | Client user agent information | Yes | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
X-Tenant-ID | Tenant identifier for multi-tenant operations | Yes | 1234567 |
Parameter | Description | Required | Source |
---|---|---|---|
username | Sandbox username | Yes | Provided in welcome email |
password | Sandbox password | Yes | Provided in welcome email |
customerId | Client ID for your sandbox tenant | Yes | Provided in sandbox activation email |
customerSecret | Client secret for your sandbox tenant | Yes | Provided in sandbox activation email |
accountType | Type of account (b2b or b2c) | Yes | Based on your integration type |
Important: ThecustomerId
andcustomerSecret
are only sent directly in requests in the Playground environment. In Integration and Production environments, these credentials are securely configured during onboarding and not included in API requests.
Parameter | Description | Usage |
---|---|---|
expires_in | Token expiration time in seconds | Use to determine when to refresh authentication |
token_type | Type of token (always “Bearer”) | Required for Authorization header format |
scope | Scope of access granted | Identifies the permissions granted |
customerId | Unique identifier for the customer | Reference in customer-related operations |
tenantId | Identifier for the tenant | Used for multi-tenant operations |
userSessionToken | JWT token for user session validation | Used for session validation and contains user identity claims |
Note: The JWT token (userSessionToken
) contains an internal cache key that the Sandbox Backend uses to retrieve and cache the actual Bearer token for API Gateway requests. This internal mechanism is transparent to clients and ensures that access tokens are never exposed directly.
Important Note: When you authenticate, the system generates an access token internally that is used to access backend services. This token has an expiration time specified by theexpires_in
parameter. If your API requests start receiving401 Unauthorized
errors with a message indicating that the access token has expired, you will need to authenticate again to obtain a new token. The access token is managed by the system and is not directly exposed to clients for security reasons.
Note: TheinternalTokenKey
is extracted from the claims in the JWT token (userSessionToken
). This key is used by the Sandbox Backend to identify and refresh the associated access token without requiring client credentials to be sent in the request. If the token has more than 10% of its validity time remaining, it will not be refreshed and the current validity will be provided in the response. Security: Token refresh requires authentication with a valid session token. The user in the authenticated session must match the user associated with the token being refreshed.
Error Code | Description | Solution |
---|---|---|
401 Unauthorized | Invalid credentials | Verify username, password, client ID, and client secret |
403 Forbidden | Insufficient permissions | Verify tenant ID and account permissions |
429 Too Many Requests | Rate limit exceeded | Reduce authentication frequency |
Tenant identifier
"1234567"
Client platform information
"Windows"
Client IP address
"192.168.1.1"
Sandbox login credentials
The body is of type object
.
Authentication successful
The response is of type object
.