Skip to main content

API authentication

Security standards

The Banqup APIs follow industry security standards to protect your data. These APIs let you upload, store, and retrieve information from Banqup servers, while also enabling various business operations with your data.

Key concepts:

  • Secure data transmission: To maintain the data security, it's important that API requests to the Banqup API platform are conducted exclusively via HTTPS. Any attempts to make calls through plain HTTP will not be successful.

  • Bearer token authentication: Every API request necessitates authentication using a bearer token. This token is generated by Banqup through the provided Client ID and Secret values, aligning with OAuth 2.0, the standard for API authorization.

  • Role-Based Access Control (RBAC): When an API request is received, Banqup performs verification to confirm whether the bearer of the token possesses the necessary permissions to carry out the requested operation(s). This validation is guided by the Role-Based Access Control (RBAC) model.

  • Resource ownership: In Banqup, resources are inherently associated with specific entities. Third-party users will need to get access from the space administrator to access their resources.

API authentication and authorization

Banqup APIs use the OAuth 2.0 framework to provide access to resources. More specific, we use the Client Credentials grant type that allows you to generate bearer tokens to provide access to our APIs.

API authentication (via bearer token) verifies your identity, while the authorization step (via App ID) verifies if you are allowed to make the API call and has access to the requested resources.

Authentication

The first step in getting access to the Banqup APIs is identity check. This is done by using a bearer token as authentication method when making the API request.
You will have access to all the APIs enabled in the app created on the Banqup Developer Portal.
Check out this API recipe on how to generate a bearer token.

Authorization

The authorization step takes place when you perform an API request using the bearer token. The bearer token is generated in JWT format, which includes the encrypted App ID generated when the you create a new app on the Banqup Developer Portal, and is a unique identifier of that app.

App ID

OAuth will recognize the App ID inside the token and will provide you access, if the requested APIs are enabled in the app and you have access to the requested resources.

List of enabled APIs

Note:
When making API calls, a 401 Unauthorized error will be returned, if the bearer token is incorrect or expired.
If you don't have access to the requested resources, a 403 Forbidden error will be returned.

Keep API credentials safe

Ensure the security of your API credentials by following these recommended practices:

  • Limit access to individuals with a genuine need.
  • Avoid storing keys in version control systems.
  • Regulate key access using a password manager or secrets management service.
  • Avoid embedding a key in locations vulnerable to exposure, such as a mobile application.

See also