Authentication & Authorization

Authentication

In order to login using the API, you must submit your API credentials supplied to you by Ibanera, in addition to a one time password (otp). The login endpoint authenticates a user by validating their credentials and TOTP code, providing an access token for subsequent API requests.

Refer to our guide on Generating a Time-Based One-Time Password (TOTP) with a Shared Secret.

  • Endpoint: /api/v1/public/auth/login

  • Method: POST

Generates bearer access token for private endpoints

post

Request body parameters:

  • Username: Login username
  • Password: User password
  • Otp: Time-based one time password generater from provided shared secret

Response:

  • accessToken: Bearer access token user for authorization
  • expiresIn: Access token expiry time in seconds
  • refreshToken: Refresh token used to refresh an access token
  • refreshTokenExpiresIn: Refresh token expiry time in secords

Possible validation messages:

  • Required: Required field is missing
  • Username_Or_Password_Incorrect: Invalid credentials
  • Account_Not_Verified: Account is not permitted to use the API
  • Account_Locked: Account locked for 10 minutes after too many failed attempts
  • Account_Suppressed: Account is currently inactive
Authorizations
Body
usernamestringRequired
passwordstring · passwordRequired
otpstringRequired
Responses
200
Success
application/json
post
POST /api/v1/public/auth/login HTTP/1.1
Host: fintech-phoenix-customer-api-v1.api.avamae.co.uk
Authorization: YOUR_API_KEY
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 54

{
  "username": "text",
  "password": "password",
  "otp": "text"
}
{
  "status": "text",
  "errors": [
    {
      "fieldName": "text",
      "messageCode": "text"
    }
  ],
  "id": 1,
  "details": {
    "accessToken": "text",
    "expiresIn": 1
  }
}

Request Body Parameters:

  • username (String): The username of the user attempting to log in—required.

  • password (String): The password associated with the username—required.

  • otp (String): A time-based one-time password (TOTP) generated from the user's shared secret—required.

Request Example:

{
  "username": "exampleUser",
  "password": "examplePass",
  "otp": "123456"
}

Response Body Parameters:

  • id (Integer): A numerical identifier of the response, often representing the authenticated user’s ID.

  • details (Object):

    • accessToken (String): The bearer token provided upon successful authentication.

    • expiresIn (Integer): The number of seconds until the token expires.

Success Response Example:

{
  "id": 0,
  "details": {
    "accessToken": "eyJhbGciOiJIUzI1Ni...",
    "expiresIn": 3600
  },
  "status": "1",
  "errors": []
}

Authorization

API requests are authorized if the headers contains both the Authorization and otp fields.

Header Key
Expected Value
Example

Authorization

Bearer {{accessToken}}

Bearer eyJhbGciOiJIUzI1Ni...

otp

TOTP using:

  • SHA-1 hash

  • 6 digit output

  • 30 second interval based on the user’s shared secret.

679008

Last updated