Authentication
Some resources are public (banks and categories) meaning that only providing a client_id is required but the majority of the resources need a logged in user.
The User ressource is an abstraction of the end user, so you need to authenticate him in a Server-to-Server way. That means no action is needed from his part :
curl 'https://sync.bankin.com/v2/authenticate' \
-X POST \
-H 'Bankin-Version: 2019-02-18' \
-H 'Content-Type: application/json' \
-H 'Client-Id: MY_CLIENT_ID' \
-H 'Client-Secret: MY_CLIENT_SECRET'\
-d $'{
"email": "[email protected]",
"password": "password123"
}'
The response should contain the access_token :
{
"access_token": "<returned_access_token>",
"expires_at": "2019-04-26T15:49:04.511Z",
"user": {
"uuid": "<user_uuid>",
"resource_uri": "/v2/users/<user_uuid>",
"resource_type": "user",
"email": "[email protected]"
}
}
To perform the authenticated calls, you must provide this token in the Authorization request header (using the bearer authentication scheme).
Example :
curl "https://sync.bankin.com/v2/items?limit=100" \
-X GET \
-H 'Bankin-Version: 2019-02-18' \
-H 'Client-Id: MY_CLIENT_ID' \
-H 'Client-Secret: MY_CLIENT_SECRET' \
-H 'Authorization: Bearer TOP_SECRET_ACCESS_TOKEN'
Session expiration
The OAuth token is valid for two hours after it has been issued. Making calls with an expired token will return an HTTP 401 error and require a new authentication.
Updated about 4 years ago