Access token

We issue two kinds of user token:

• Auth token-returned from login. Only usable against a small set of endpoints to look up identities and request an access token.
• Access token-issued in exchange for an auth token. Required for all other identity-scoped API calls.

You always exchange an auth token for an access token, even for a simple login. This page covers two cases where handling the exchange explicitly matters: multiMulti Weavr Multi is an embedded finance solution that allows you to integrate financial services into your own application, providing a seamless experience for your customers. It enables you to offer managed accounts, managed cards, and transactions without requiring financial expertise.-identity root usersRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user., and biometric enrollment or login.

Multi-identity root users

Root usersRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user. can be linked to multiple identities using the same credentials (username and password).

For root usersRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user. linked to multiple identities, tokens are used as follows:

POST Login with password returns an auth token. The auth token can only be used against the following endpoints:

GET/identitiesTry it

Response

{
  "identities": [
    {
      "id": {
        "type": "CONSUMER",
        "id": "string"
      },
      "name": "string"
    }
  ],
  "count": 0,
  "responseCount": 0
}

POST/access_tokenTry it

Request

{
  "identity": {
    "type": "CONSUMER",
    "id": "string"
  },
  "clientAssertion": "string"
}

Response

{
  "token": "string",
  "identity": {
    "type": "CONSUMER",
    "id": "string"
  },
  "credentials": {
    "type": "ROOT",
    "id": "string"
  },
  "status": "STANDARD"
}

To receive an access token for the intended identity, specify the identity in the call to POST Acquire a new access token.

Biometrics

Enrollment via biometrics

Tokens are used as follows:

1. Call POST Login with password. The response returns an auth token, which can only be used against the following endpoints:

   GET/identitiesTry it

   Response

   {
     "identities": [
       {
         "id": {
           "type": "CONSUMER",
           "id": "string"
         },
         "name": "string"
       }
     ],
     "count": 0,
     "responseCount": 0
   }

   POST/access_tokenTry it

   Request

   {
     "identity": {
       "type": "CONSUMER",
       "id": "string"
     },
     "clientAssertion": "string"
   }

   Response

   {
     "token": "string",
     "identity": {
       "type": "CONSUMER",
       "id": "string"
     },
     "credentials": {
       "type": "ROOT",
       "id": "string"
     },
     "status": "STANDARD"
   }

2. Exchange the auth token for an access token. If the user is only linked to one identity, identity in the request is optional.

3. Use the access token to call POST Enroll a user device for authentication using push notifications.

4. A push notification is sent to the user. Once they provide consent through the embedded SDK, the active access token is stepped up.

Login via biometrics

Tokens are used as follows:

1. Initiate the login via biometrics screen through the SDK. The end-user completes the login.

2. The token delivered by webhook is an auth token, usable only against the following endpoints:

   GET/identitiesTry it

   Response

   {
     "identities": [
       {
         "id": {
           "type": "CONSUMER",
           "id": "string"
         },
         "name": "string"
       }
     ],
     "count": 0,
     "responseCount": 0
   }

   POST/access_tokenTry it

   Request

   {
     "identity": {
       "type": "CONSUMER",
       "id": "string"
     },
     "clientAssertion": "string"
   }

   Response

   {
     "token": "string",
     "identity": {
       "type": "CONSUMER",
       "id": "string"
     },
     "credentials": {
       "type": "ROOT",
       "id": "string"
     },
     "status": "STANDARD"
   }

3. Exchange the auth token for an access token to use elsewhere in the system. If the user is linked to a single identity, identity is optional in the request and an access token for that identity is still returned. The returned access token is already stepped up.