Ibanera Customer API
Customer Portal
  • Overview
  • Terminology
    • Exchanges of Assets
    • Payees
    • Personal Customers
    • Business Customers
      • Managees
    • Enumerations, Codes and Definitions
      • Source of Funds Types
      • Transfer Purpose Codes Reference
  • Getting Started
    • Access the API
    • API Principal Account
    • Common Response Format
    • First API Call
    • Authentication & Authorization
      • Generating a Time-Based One-Time Password (TOTP) with a Shared Secret
  • API Endpoints
    • Accounts
    • Business Onboarding
    • Cards
    • Crypto Exchanges
    • Foreign Currency Exchange
    • Payees (Beneficiaries)
    • Transfers
    • Transaction Cancellation
    • Managees
    • Information Requests (RFIs)
    • Quick Buy
    • Simulated Testing
  • Callbacks
    • Managee Jumio Completed
    • Cryptocurrency Transfers
    • Exchange Status Updated
    • Fiat Deposit Received
    • Managee Card Approval Updated
    • Managee KYC Updated
    • Transaction Status Updated
    • Information Requests
  • QuickBuy
    • QuickBuy Callback
    • QuickBuy Front End Implementation
    • Validating the Webhook Signature
    • QuickBuy Pro
      • Visual Customization
      • Getting Started / Authentication
      • API Endpoints
        • Create Payment
        • Retrieve Payments
        • Delete Payment
      • Callbacks
        • Payment Captured
        • Cryptocurrency Transferred
Powered by GitBook
On this page
  1. Getting Started

Authentication & Authorization

PreviousFirst API CallNextGenerating a Time-Based One-Time Password (TOTP) with a Shared Secret

Last updated 1 year ago

Authentication

In order to login using the API, you must submit your API credentials supplied to you by Ibanera, in addition to a one time password (otp). The login endpoint authenticates a user by validating their credentials and TOTP code, providing an access token for subsequent API requests.

  • Endpoint: /api/v1/public/auth/login

  • Method: POST

Request Body Parameters:

  • username (String): The username of the user attempting to log inโ€”required.

  • password (String): The password associated with the usernameโ€”required.

  • otp (String): A time-based one-time password (TOTP) generated from the user's shared secretโ€”required.

Request Example:

{
  "username": "exampleUser",
  "password": "examplePass",
  "otp": "123456"
}

Response Body Parameters:

  • id (Integer): A numerical identifier of the response, often representing the authenticated userโ€™s ID.

  • details (Object):

    • accessToken (String): The bearer token provided upon successful authentication.

    • expiresIn (Integer): The number of seconds until the token expires.

Success Response Example:

{
  "id": 0,
  "details": {
    "accessToken": "eyJhbGciOiJIUzI1Ni...",
    "expiresIn": 3600
  },
  "status": "1",
  "errors": []
}

Authorization

API requests are authorized if the headers contains both the Authorization and otp fields.

Header Key
Expected Value
Example

Authorization

Bearer {{accessToken}}

Bearer eyJhbGciOiJIUzI1Ni...

otp

TOTP using:

  • SHA-1 hash

  • 6 digit output

  • 30 second interval based on the userโ€™s shared secret.

679008

Refer to our guide on Generating a Time-Based One-Time Password (TOTP) with a Shared Secret.
  • Authentication
  • POSTGenerates bearer access token for private endpoints
  • Authorization

Generates bearer access token for private endpoints

post

Request body parameters:

  • Username: Login username
  • Password: User password
  • Otp: Time-based one time password generater from provided shared secret

Response:

  • accessToken: Bearer access token user for authorization
  • expiresIn: Access token expiry time in seconds
  • refreshToken: Refresh token used to refresh an access token
  • refreshTokenExpiresIn: Refresh token expiry time in secords

Possible validation messages:

  • Required: Required field is missing
  • Username_Or_Password_Incorrect: Invalid credentials
  • Account_Not_Verified: Account is not permitted to use the API
  • Account_Locked: Account locked for 10 minutes after too many failed attempts
  • Account_Suppressed: Account is currently inactive
Authorizations
Body
usernamestringRequired
passwordstring ยท passwordRequired
otpstringRequired
Responses
200
Success
application/json
400
Bad Request
application/json
post
POST /api/v1/public/auth/login HTTP/1.1
Host: fintech-phoenix-customer-api-v1.api.avamae.co.uk
Authorization: YOUR_API_KEY
Content-Type: application/json-patch+json
Accept: */*
Content-Length: 54

{
  "username": "text",
  "password": "password",
  "otp": "text"
}
{
  "status": "text",
  "errors": [
    {
      "fieldName": "text",
      "messageCode": "text"
    }
  ],
  "id": 1,
  "details": {
    "accessToken": "text",
    "expiresIn": 1
  }
}