Versions Compared

Version Old Version 8 New Version 9
Changes made by

Michal Gregor

Michal Gregor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Before you get started, make sure you have already created Everifin user account. More details on how to create an user account are here: API Access Prerequisites. Afterwards, you can Connect Bank Account With Everifin UI.

Authentication is facilitated by OpenID Connect which is a simple identity layer on top of the OAuth 2.0 protocol.

Authorization code grant type

Authorization code grant type is one of possible grant types provided by OAuth protocol. In this case the the client’s service account together with user account are authenticated and if successful the authorization code provided can be exchanged for access token.

Info

Authorization code grant type is supported by default. Other oAuth 2.0 grant types can be configured as well, contact us for more information.

Step1: Redirect end-user to the Authorization endpoint

request method: GET

The authorization code is a temporary code that the client will exchange for an access token. The code itself is obtained from the authorization server where the user gets a chance to see what information the client (in this case the client is Everifin Application) is requesting, and approve or deny the request.

...

This code is then used to request an access and refresh token.

Step2: Obtain Bearer Token from the Token endpoint

request method: POST

Info

We will provide you with your own authentication realm. The value is used in the URL below.

...

Info

The Authorization HTTP Header value is used to identify a specific user.

If you need to access the API under a context of a different user (e.g. access balances and transaction belonging to someone else), you need to authenticate this different user and use the access_token value specific to this user.

Refreshing an expired token

Access token expires after some time, this period is specified in the expires_in attribute (in response from step 2). Once the Access_token is expired, you will start getting 401 Unauthorized responses from the API.

...

Response: JSON object containing access_token and refresh_token.

Logout

When the user decides to end the session, the logout endpoint should be called. This invalidates the refresh_token. The access_token remains valid for the period specified in the /token endpoint response from step 2. Usually, this is a short period of 5 minutes.

...