Authentication & Authorization

Authentication

In order to login using the API, you must submit your API credentials supplied to you by Ibanera, in addition to a one time password (otp). The login endpoint authenticates a user by validating their credentials and TOTP code, providing an access token for subsequent API requests.

Refer to our guide on Generating a Time-Based One-Time Password (TOTP) with a Shared Secret.

Endpoint: /api/v1/public/auth/login
Method: POST

Generates bearer access token for private endpoints

Request body parameters:

Username: Login username
Password: User password
Otp: Time-based one time password generater from provided shared secret

Response:

accessToken: Bearer access token user for authorization
expiresIn: Access token expiry time in seconds
refreshToken: Refresh token used to refresh an access token
refreshTokenExpiresIn: Refresh token expiry time in secords

Possible validation messages:

Required: Required field is missing
Username_Or_Password_Incorrect: Invalid credentials
Account_Not_Verified: Account is not permitted to use the API
Account_Locked: Account locked for 10 minutes after too many failed attempts
Account_Suppressed: Account is currently inactive

POSThttps://fintech-phoenix-customer-api-v1.api.avamae.co.uk/api/v1/public/auth/login

Body

username*string

password*string (password)

otp*string

Response

Success

Body

statusnullable string

errorsnullable array of AvamaeTemplate.Core.Types.Results.Base.ErrorResultDto (object)

idinteger (int64)

detailsAvamaeTemplate.Core.Types.Dtos.PublicRole.AuthModule.LoginSuccessResultDetails (object)

Request

const response = await fetch('https://fintech-phoenix-customer-api-v1.api.avamae.co.uk/api/v1/public/auth/login', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json-patch+json"
    },
    body: JSON.stringify({
      "otp": "text",
      "password": "password",
      "username": "text"
    }),
});
const data = await response.json();

Response

{
  "status": "text",
  "errors": [
    {
      "fieldName": "text",
      "messageCode": "text"
    }
  ],
  "details": {
    "accessToken": "text"
  }
}

Request Body Parameters:

username (String): The username of the user attempting to log in—required.
password (String): The password associated with the username—required.
otp (String): A time-based one-time password (TOTP) generated from the user's shared secret—required.

Request Example:

{
  "username": "exampleUser",
  "password": "examplePass",
  "otp": "123456"
}

Response Body Parameters:

id (Integer): A numerical identifier of the response, often representing the authenticated user’s ID.
details (Object):
- accessToken (String): The bearer token provided upon successful authentication.
- expiresIn (Integer): The number of seconds until the token expires.

Success Response Example:

{
  "id": 0,
  "details": {
    "accessToken": "eyJhbGciOiJIUzI1Ni...",
    "expiresIn": 3600
  },
  "status": "1",
  "errors": []
}

Authorization

API requests are authorized if the headers contains both the Authorization and otp fields.

Header Key	Expected Value	Example
Authorization	Bearer {{accessToken}}	Bearer eyJhbGciOiJIUzI1Ni...
otp	TOTP using: SHA-1 hash 6 digit output 30 second interval based on the user’s shared secret.	679008

Header Key

Expected Value

Example

Authorization

Bearer {{accessToken}}

Bearer eyJhbGciOiJIUzI1Ni...

otp

TOTP using:

SHA-1 hash
6 digit output
30 second interval based on the user’s shared secret.

679008

PreviousFirst API Call NextGenerating a Time-Based One-Time Password (TOTP) with a Shared Secret

Last updated 3 months ago