Authentication & Authorization
Authenticate and authorize all API calls
To secure your applicaiton, you with need to authenticate and authorize all your API calls. To do this take the following steps
Step 1: Obtain your application credentials
To begin, you’ll need to acquire your appKey and appPassword. You can find these credentials under the “Applications” menu in the portal.
Step 2. Select a user to delegate transaction permissions
When making API calls using the Xente API, there must be a user with the necessary permissions delegated to carry out these transactions. You can select the user to delegate to under the “Applications” menu, specifically the “Auth Users” section.
Step 3. Authenticate your application
With your appKey, appPassword, and a delegated userId, you are ready to authenticate your application. Use the code snippet below to do so:
curl -X POST https://api.xente.co/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"appKey": "YourAppKey",
"appPassword": "YourAppPassword",
"userId": "Userid delegated to make the request",
"includeRefereshToken": true
}'
If you authenticate successfully, you will get a response JSON with the following parameters.
| Key | Type | Description |
|---|---|---|
| Token | string | Authentication token that you will use to authenticate subsquent API calls |
| refreshToken | string | The refresh token is used to refresh session without requiring new user login |
| success | boolean | Status of authentication request |
| message | string | A description of status |
Important information on the Token
- The lifetime of the token is 60 minutes. Once it expires, use the refresh token to obtain another one or have the user log in again.
- The token will only be exposed once. Safely store it in the cache for the duration of its lifetime
Step 4. Authorize your API calls
After successfully authenticating your application and user and obtaining a valid token, you can use it for authorization as demonstrated below.
Important notes on authentication
- App Key and App Password: Find your App Key and App Password under Applications in the portal.
- Keep your credentials safe: You can only view your App Key and App Password once. It is your responsibility to keep them safe, e.g., do not store them in Git or expose them to unauthorized people.
- User Delegation: Select the user who will be delegated to make API requests under Applications in the portal. The transactions initiated will be processed according to the permissions the user has.
- Whitelisting: Whitelist your application IP address in the portal.
- HTTPS: All API requests must be made over HTTPS.
- Authentication: API requests without authentication will fail with status code 401: Unauthorized.