Skip to main content

API Authentication overview

The API has three layers of authentication:

  1. Account authentication is used to identify and authenticate requests from your application. All API requests and UI components require account authentication.

  2. End-user authentication is used to authenticate users (root usersRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user. and authorized usersAuthorized User An individual that has been invited by the root user to manage an identity's instruments and transactions. They are not the legal owner of the identity but can be granted access to perform operations on behalf of the identity. For corporates, card assignees are created as Authorized Users. US-English variant of _Authorised User_.) of the identity. Almost all API requests and UI components require end-user authentication showing that these users are in session and creating the actions/interactions indicated through the API. The end-user authentication is done with an Auth Token which can be used to perform actions within the APIs. The operations available to a user depend on their assigned role.

  3. End-user step-up authentication is required when performing certain requests covered by a requirement for Strong Customer Authentication under PSD2 financial regulations. This is achieved by the end user successfully passing an SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics).-compliant multifactor challenge, whereupon a stepped-up Auth Token is provided allowing the workflow to proceed.

Depending on the type of operation you are trying to execute, you may be required to either:

  • provide account authentication only or
  • provide account and end-user authentication via an Auth Token
  • provide account and step-up end-user authentication (step-up refers to an Auth Token where two-factor authentication was performed)