Authentication

Overview

The API supports multiple authentication methods. The simplest for development is DirectLogin, which uses a username, password, and consumer key to generate an access token.

DirectLogin

DirectLogin is ideal for server-to-server communication and development. Here's how to authenticate:

1. Get a Consumer Key

Create an API key in your dashboard. The consumer_key is required for authentication.

2. Request Token

Send a POST request to the DirectLogin endpoint:

POST /my/logins/direct

Headers:
  Content-Type: application/json
  DirectLogin: username="your_username",
               password="your_password",
               consumer_key="your_consumer_key"

3. Response

On success, you'll receive an access token:

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
}

4. Use the Token

Include the token in all subsequent API requests:

GET /obp/v5.1.0/my/accounts

Headers:
  Authorization: DirectLogin token="YOUR_TOKEN"

Code Examples

JavaScript

const response = await fetch('/my/logins/direct', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'DirectLogin': `username="${username}",password="${password}",consumer_key="${consumerKey}"`
  }
});

const { token } = await response.json();

// Use token in subsequent requests
const accounts = await fetch('/obp/v5.1.0/my/accounts', {
  headers: {
    'Authorization': `DirectLogin token="${token}"`
  }
});

cURL

# Get token
curl -X POST https://api.example.com/my/logins/direct \
  -H 'Content-Type: application/json' \
  -H 'DirectLogin: username="user",password="pass",consumer_key="key"'

# Use token
curl https://api.example.com/obp/v5.1.0/my/accounts \
  -H 'Authorization: DirectLogin token="YOUR_TOKEN"'

Security Best Practices

• Never expose your consumer secret in client-side code
• Store tokens securely (encrypted storage, not localStorage for production)
• Use HTTPS for all API communications
• Rotate API keys periodically
• Monitor your API usage for suspicious activity