# Authentication
Treezor Connect leverages the OAuth2 framework (opens new window) and JSON Web Token (JWT) which allows for a wide range of authentication flows, covering from the most simple use cases to the more complex ones.
Security – Keep your credentials safe
Authentication uses client_id
and client_secret
. These are extremely sensitive credentials and must be kept safe and secret. See the Credentials article for more information.
Authenticating is a two-step process:
- Obtaining your token – Call the
/oauth/token
endpoint to get a JWT. - Using the token – For each subsequent request, include this JWT in an
Authorization
header.
Note – The access token expires after 1 hour, so you need to:
- Cache the token (avoiding unnecessary hits to Treezor's authentication endpoint)
- Renew or refresh the token before it expires (not applicable to all situations)
# Obtaining an access token (JWT)
As part of your onboarding process, your Treezor Account Manager provided you with your credentials including client_id
and client_secret
.
Use the following request to authenticate and get your JWT, using the relevant {baseUrl}
depending on the environment.
The following JSON object is returned if successful, the access_token
field being your JWT:
You're now authenticated to the Treezor API. Keep your access_token
at hand, since it will be used during the next steps.
# Using the token
You can now use your JWT in the Authorization
header to make your API calls as follows:
Bearer
– The type of your token. Make sure you respect the capitalization and keep the space.{accessToken}
– Your JSON Web Token, always referred to as the accessToken in the documentation examples.
The following example illustrates how a typical request to the API is structured.
# Refreshing the token
A token can be refreshed up to a month after the initial authentication. After a month you will have to start the authentication process again.
Availability – Refresh is only possible with password grant and authorization code flows
If the grant_type
is client_credentials
, you cannot refresh a token.
# Request
The following example asks for a refreshed token:
# Response
You are now able to use the newly provided token.
Tip – Open-source libraries may help abstract token management
Treezor doesn't provide client libraries or SDKs to consume Treezor API, but some open-source tools are available to help you.