Skip to main content

Authentical overview

The API has three layers of authentication:

  1. Account authentication is used to identify and authenticate requests from your application. All API requests and UI components require account authentication.

  2. End-user authentication is used to authenticate the Admin User and Authorised Users of the Buyer, i.e. the representatives of the business End Customer. Almost all API requests and UI components require end-user authentication showing that these users are in session and creating the actions/interactions indicated through the API. The end-user authentication is done with an Auth Token which can be used to perform actions within our APIs.

  3. End-user step-up authentication is required when performing certain requests covered by a requirement for Strong Customer Authentication under PSD2 financial regulations. This is achieved by the end user successfully passing an SCA-compliant multifactor challenge, whereupon a stepped-up Auth Token is provided allowing the workflow to proceed.

Depending on the type of operation you are trying to execute, you may be required to either:

  • provide account authentication only or
  • provide account and end-user authentication via an Auth Token
  • provide account and step-up end-user authentication (step-up refers to an Auth Token where two-factor authentication was performed)

Exchanging an Auth Token for an Access Token

If you support any of the use-cases for Access Token , your programme will need to handle both Auth Tokens and Access Tokens.

info

In our API documentation, we currently refer to auth_token. However, if you are configured for any of the use-cases Root UsersRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user. linked to multiple identities/Biometrics, this is actually referring to the Access Token.

After completing a successful login, an Auth Token is provided. This token contains information that identifies the user and the method of authentication (password, passcode, biometrics). The Auth Token unlocks very limited functionality.

In order to grant access to the correct identity, the Auth Token needs to be exchanged for an Access Token. The Access Token contains the information that was missing from the Auth Token, namely the identity that the user would like to access.

info

Single login accessing multiple CorporatesCorporates Business entities that can be onboarded as identities on Weavr. Corporate identities represent companies and require Know Your Business (KYB) verification. They can have multiple authorised users and issue cards to card assignees. is a new feature for EmbeddersEmbedder A company or developer that integrates Weavr's embedded finance services into their own application to provide financial services to their end customers. who deal with Corporate users. Once activated, it allows an individual end user (root userRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user.) to be granted access to multiple CorporatesCorporates Business entities that can be onboarded as identities on Weavr. Corporate identities represent companies and require Know Your Business (KYB) verification. They can have multiple authorised users and issue cards to card assignees. via one primary email+password login, so they can switch back and forth between CorporatesCorporates Business entities that can be onboarded as identities on Weavr. Corporate identities represent companies and require Know Your Business (KYB) verification. They can have multiple authorised users and issue cards to card assignees. without having to log out and log back in with a different email+password. In order to activate this, contact us.