# Authentication

Treezor Connect leverages the OAuth2 framework (opens new window) and JSON Web Token (JWT) which allows for a wide range of authentication flows, covering from the most simple use cases to the more complex ones.

Lock icon

Security – Keep your credentials safe

Authentication uses client_id and client_secret. These are extremely sensitive credentials and must be kept safe and secret. See the Credentials article for more information.

Authenticating is a two-step process:

  1. Obtaining your token – Call the /oauth/token endpoint to get a JWT.
  2. Using the token – For each subsequent request, include this JWT in an Authorization header.
Note icon

Note – The access token expires after 1 hour, so you need to:

  • Cache the token (avoiding unnecessary hits to Treezor's authentication endpoint)
  • Renew or refresh the token before it expires (not applicable to all situations)

# Obtaining an access token (JWT)

As part of your onboarding process, your Treezor Account Manager provided you with your credentials including client_id and client_secret.

Use the following request to authenticate and get your JWT, using the relevant {baseUrl} depending on the environment.

The following JSON object is returned if successful, the access_token field being your JWT:

You're now authenticated to Treezor's API. Keep your access_token at hand, since it will be used during the next steps.

# Using the token

You can now use your JWT in the Authorization header to make your API calls as follows:

  • Bearer – The type of your token. Make sure you respect the capitalization and keep the space.
  • {accessToken} – Your JSON Web Token, always referred to as the accessToken in the documentation examples.

The following example illustrates how a typical request to the API is structured.

# Refreshing the token

A token can be refreshed up to a month after the initial authentication. After a month you will have to start the authentication process again.

Toolbox icon

Availability – Refresh is only possible with password grant and authorization code flows

If the grant_type is client_credentials, you cannot refresh a token.

# Request

The following example asks for a refreshed token:

# Response

You are now able to use the newly provided token.

Bulb icon

Tip – Open-source libraries may help abstract token management

Treezor doesn't provide client libraries or SDKs to consume Treezor API, but some open-source tools are available to help you.

Last Updated: 4/10/2024, 7:14:25 AM