Authentication for FinHub API Production Environment
Header | Description | Required | Example |
---|---|---|---|
Content-Type | Media type of the request body | Yes | application/json |
sec-ch-ua-platform | Client platform information | Yes | Windows |
X-Forwarded-For | Client IP address | Yes | 127.0.0.1 |
User-Agent | Client user agent information | Yes | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
X-Tenant-ID | Tenant identifier for multi-tenant operations | Yes | 1234567 |
Parameter | Description | Required | Source |
---|---|---|---|
username | Production username | Yes | Provided in production onboarding |
password | Production password | Yes | Provided in production onboarding |
customerId | Client ID for your production tenant | Yes | Developer Portal > API Access |
customerSecret | Client secret for your production tenant | Yes | Developer Portal > API Access |
accountType | Type of account (b2b or b2c) | Yes | Based on your integration type |
grantType | OAuth2 grant type (password, client_credentials, etc.) | Yes | Based on your integration flow |
Parameter | Description | Usage |
---|---|---|
expires_in | Token expiration time in seconds | Use to determine when to refresh authentication |
token_type | Type of token (always “Bearer”) | Required for Authorization header format |
scope | Scope of access granted | Identifies the permissions granted |
customerId | Unique identifier for the customer | Reference in customer-related operations |
tenantId | Identifier for the tenant | Used for multi-tenant operations |
userSessionToken | JWT token for user session validation | Used for session validation and contains user identity claims |
refreshToken | Token used to obtain a new session token without re-authentication | Used when the session token expires |
Important Note: When you authenticate, the system generates an access token internally that is used to access backend services. This token has an expiration time specified by theexpires_in
parameter. If your API requests start receiving401 Unauthorized
errors with a message indicating that the access token has expired, you will need to authenticate again to obtain a new token. The access token is managed by the system and is not directly exposed to clients for security reasons.
Note: TheinternalTokenKey
is extracted from the claims in the JWT token (userSessionToken
). This key is used by the API Clients’ BFF to identify and refresh the associated access token without requiring client credentials to be sent in the request. If the token has more than 10% of its validity time remaining, it will not be refreshed and the current validity will be provided in the response. Security: Token refresh requires authentication with a valid session token. The user in the authenticated session must match the user associated with the token being refreshed.
Feature | Integration | Production |
---|---|---|
Token Expiration | Standard (3600s) | Shorter (1800s) |
Certificate Requirements | Optional | Mandatory |
IP Restrictions | Limited | Strict |
Error Responses | Detailed | Detailed with audit logging |
Rate Limiting | Moderate | Strict |
Error Code | Description | Solution |
---|---|---|
401 Unauthorized | Invalid credentials | Verify username, password, client ID, and client secret |
403 Forbidden | Insufficient permissions or invalid certificate | Verify certificate and permissions |
429 Too Many Requests | Rate limit exceeded | Reduce authentication frequency |
400 Bad Request | Invalid request format | Check request format and parameters |
500 Internal Server Error | Server-side error | Contact support with error details |