There are several authorization types used for making API calls to TBC platform.
apikey - developer app key.
apikey is mainly used for public APIs to identify developer app for troubleshooting/analytical reasons.
client credentials flow (oauth 2.0)
The Client Credentials flow is a server to server flow. There is no user authentication involved in the process.
client credential flow is used for authenticating developer application using developer app key and secret as basic auth parameters. Request is sent to /token endpoint and response contains bearer token, which is then used to make calls to API resources which do not require user authentication.
authorization code flow (oauth 2.0)
The code flow is the most complex and secure flow in OAuth. It is split into two parts, the Authorization flow, which basically initiates user authentication and authorization session, and if this process is completed successfully, then the
authorization code flow is used in cases when access to Resource Owner (User) data is required.
Bearer tokens allow requests to authenticate using an access key, such as a JSON Web Token (JWT). The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value—or for added security, store it in a variable and reference the variable by name.
bearer token is received as response from request to /token endpoint.
bearer token should be passed in request authorization header in order to access protected resources on TBC side.
authentication using PSD2 QWAC / QSEAL certificates
certificate based authentication is used in Open Banking services, as mandated by Open banking technical standard
Updated 9 months ago