Authentication & Authorization

Authentication

In order to login using the API, you must submit your API credentials supplied to you by Ibanera, in addition to a one time password (otp). The login endpoint authenticates a user by validating their credentials and TOTP code, providing an access token for subsequent API requests.

Refer to our guide on Generating a Time-Based One-Time Password (TOTP) with a Shared Secret.

Endpoint: /api/v1/public/auth/login
Method: POST

post

Request body parameters:

Username: Login username
Password: User password
Otp: Time-based one time password generater from provided shared secret

Response:

accessToken: Bearer access token user for authorization
expiresIn: Access token expiry time in seconds
refreshToken: Refresh token used to refresh an access token
refreshTokenExpiresIn: Refresh token expiry time in secords

Possible validation messages:

Required: Required field is missing
Username_Or_Password_Incorrect: Invalid credentials
Account_Not_Verified: Account is not permitted to use the API
Account_Locked: Account locked for 10 minutes after too many failed attempts
Account_Suppressed: Account is currently inactive

Authorizations

AuthorizationstringRequired

JWT Authorization header using the Bearer scheme.

Example: "Authorization: Bearer {token}"

Tokens can be generated using the /api/v1/public/auth/login endpoint.

Body

usernamestringRequired

passwordstring · passwordRequired

otpstringRequired

Responses

200

Success

application/json

400

Bad Request

application/json

post

/api/v1/public/auth/login

POST /api/v1/public/auth/login HTTP/1.1
Host: fintech-phoenix-customer-api-v1.api.avamae.co.uk
Authorization: YOUR_API_KEY
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 54

{
  "username": "text",
  "password": "password",
  "otp": "text"
}

{
  "status": "text",
  "errors": [
    {
      "fieldName": "text",
      "messageCode": "text"
    }
  ],
  "id": 1,
  "details": {
    "accessToken": "text",
    "expiresIn": 1
  }
}

Request Body Parameters:

username (String): The username of the user attempting to log in—required.
password (String): The password associated with the username—required.
otp (String): A time-based one-time password (TOTP) generated from the user's shared secret—required.

Request Example:

{
  "username": "exampleUser",
  "password": "examplePass",
  "otp": "123456"
}

Response Body Parameters:

id (Integer): A numerical identifier of the response, often representing the authenticated user’s ID.
details (Object):
- accessToken (String): The bearer token provided upon successful authentication.
- expiresIn (Integer): The number of seconds until the token expires.

Success Response Example:

{
  "id": 0,
  "details": {
    "accessToken": "eyJhbGciOiJIUzI1Ni...",
    "expiresIn": 3600
  },
  "status": "1",
  "errors": []
}

Authorization

API requests are authorized if the headers contains both the Authorization and otp fields.

Header Key

Expected Value

Example

Authorization

Bearer {{accessToken}}

Bearer eyJhbGciOiJIUzI1Ni...

otp

TOTP using:

SHA-1 hash
6 digit output
30 second interval based on the user’s shared secret.

679008

PreviousFirst API Call NextGenerating a Time-Based One-Time Password (TOTP) with a Shared Secret

Last updated 1 year ago

Authentication

Generates bearer access token for private endpoints

Authorization