To secure your applicaiton, you with need to authenticate and authorize all your API calls. To do this take the following steps

Step 1: Obtain your application credentials

To begin, you’ll need to acquire your appKey and appPassword. You can find these credentials under the “Applications” menu in the portal.

Step 2. Select a user to delegate transaction permissions

When making API calls using the Xente API, there must be a user with the necessary permissions delegated to carry out these transactions. You can select the user to delegate to under the “Applications” menu, specifically the “Auth Users” section.

Step 3. Authenticate your application

With your appKey, appPassword, and a delegated userId, you are ready to authenticate your application. Use the code snippet below to do so:

curl -X POST \
     -H "Content-Type: application/json" \
     -d '{
         "appKey": "YourAppKey",
         "appPassword": "YourAppPassword",
         "userId": "Userid delegated to make the request",
         "includeRefereshToken": true

If you authenticate successfully, you will get a response JSON with the following parameters.

TokenstringAuthentication token that you will use to authenticate subsquent API calls
refreshTokenstringThe refresh token is used to refresh session without requiring new user login
successbooleanStatus of authentication request
messagestringA description of status

Important information on the Token

  1. The lifetime of the token is 60 minutes. Once it expires, use the refresh token to obtain another one or have the user log in again.
  2. The token will only be exposed once. Safely store it in the cache for the duration of its lifetime

Step 4. Authorize your API calls

After successfully authenticating your application and user and obtaining a valid token, you can use it for authorization as demonstrated below.

curl Url
-H "Authorization: Bearer PUT_YOUT_TOKEN_HERE"

Important notes on authentication

  1. App Key and App Password: Find your App Key and App Password under Applications in the portal.
  2. Keep your credentials safe: You can only view your App Key and App Password once. It is your responsibility to keep them safe, e.g., do not store them in Git or expose them to unauthorized people.
  3. User Delegation: Select the user who will be delegated to make API requests under Applications in the portal. The transactions initiated will be processed according to the permissions the user has.
  4. Whitelisting: Whitelist your application IP address in the portal.
  5. HTTPS: All API requests must be made over HTTPS.
  6. Authentication: API requests without authentication will fail with status code 401: Unauthorized.