Skip to main content
All requests to the Embedded Banking API must be made over HTTPS. Most endpoints authenticate with a Bearer token generated using OAuth 2.0; browser-side application endpoints have an alternative scoped credential for that single application’s flow. The Quick reference lists the token endpoints and grant types at a glance.

Key concepts

  • Secure data transmission: API requests must be made via HTTPS. Calls over plain HTTP will not succeed.
  • Bearer token authentication: Most API requests include a Bearer token in the Authorization header. This is compliant with OAuth 2.0.
  • Application client secret: Per-application endpoints additionally accept a short-lived scoped credential on the X-Client-Secret header, so browser-side surfaces can authenticate without holding a backend bearer token.
Your client secret must be stored securely. It is not recoverable after creation — if lost, you must generate a new one.

Available methods

Client credentials

Server-to-server authentication using the OAuth 2.0 client_credentials grant. Your backend exchanges a client ID and secret for a short-lived access token. Use this for all backend API calls.

User token

Act on behalf of a specific user via OAuth 2.0 Token Exchange (RFC 8693). Use this for user-scoped API calls and generating widget tokens for embedded UI components.

Application client secret

Short-lived, single-application credential returned when an application is created. Use this from white-label and widget surfaces to authenticate browser-side application calls without exposing a backend bearer token.