Authorization Types

Authorization Types

There are several authorization types used for making API calls to TBC platform.

Authorization typeDescriptionUse Case
apikeyapikey - developer app key.
should passed in request Header apikey parameters
apikey is mainly used for public APIs to identify developer app for troubleshooting/analytical reasons.
client credentials flow (oauth 2.0)The Client Credentials flow is a server to server flow. There is no user authentication involved in the process.

Reference on detailed description
client credential flow is used for authenticating developer application using developer app key and secret as basic auth parameters. Request is sent to /token endpoint and response contains bearer token, which is then used to make calls to API resources which do not require user authentication.
authorization code flow (oauth 2.0)The code flow is the most complex and secure flow in OAuth. It is split into two parts, the Authorization flow, which basically initiates user authentication and authorization session, and if this process is completed successfully, then the
Token flow is started - where client application request access-token based on auth_code received during Authorization flow.

Reference on detailed description
authorization code flow is used in cases when access to Resource Owner (User) data is required.
bearer tokenBearer tokens allow requests to authenticate using an access key, such as a JSON Web Token (JWT). The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value—or for added security, store it in a variable and reference the variable by name.

Reference on detailed description
bearer token is received as response from request to /token endpoint.

bearer token should be passed in request authorization header in order to access protected resources on TBC side.
certificate basedauthentication using PSD2 QWAC / QSEAL certificatescertificate based authentication is used in Open Banking services, as mandated by Open banking technical standard