API Specifications

API Authentication

API’s are secured using an OAuth2 Client Credentials Grant Flow

The Access Token can be retrieved from the following authorization urls

  • uat / sandbox : https://auth-uat.ingo.money
  • production : https://auth.ingo.money

Refer to the following Client Credentials Flow link for further details and examples on how to send in a valid authorization request.

Authorization Request

Authentication using a shared secret

Request with Authentication Credentials via the Authorization Header

  1. Concatenate the ClientId and ClientSecret with a “:” eg “The_Best_Client_Ever:Super_DOOPER_Secret”
  2. Base64 Encode the resulting string value
  3. Create the Authorization Header using the format “Basic Base64EncodedValue”
  4. Set the Content-Type to “application/x-www-form-urlencoded”
  5. Add the following form parameters in the “BODY” of the request
    • scope=<scope_name_or_uri>
    • grant_type=client_credentials
  6. Set the HTTP Method to “POST”

Example:

POST https://auth-uat.ingo.money

Content-Type: application/x-www-form-urlencoded
Authorization: Basic Q2xpZW50SWQ6UEBzc3cwckQjRXhAYW1wbGUh

scope=https://apis.ingo.money/auth/samples/dotnet-core-api

Request with Authentication Credentials along with the BODY parameters

  1. Set the Content-Type to “application/x-www-form-urlencoded”
  2. Add the following form parameters in the “BODY” of the request
    • scope=https://apis.ingo.money/auth/samples/dotnet-core-api
    • grant_type=client_credentials
    • client_id=The_Best_Client_Ever
    • client_secret=Super_DOOPER_Secret
  3. Set the HTTP Method to “POST”
POST https://auth-uat.ingo.money

Content-Type: application/x-www-form-urlencoded

scope=https://apis.ingo.money/auth/samples/dotnet-core-api&grant_type=client_credentials&client_id=The_Best_Client_Ever&client_secret=Super_DOOPER_Secret

SUCCESS RESPONSE

STATUS CODE: 200 (OK)

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkUxQjNCQkJFMzhDNDdBREJDNzk0N0FDQ0U1OTVFMjQ3MUNEMkFGQUVSUzI1NiIsInR5cCI6ImF0K2p3dCIsIng1dCI6IjRiTzd2ampFZXR2SGxIck01WlhpUnh6U3I2NCJ9.eyJuYmYiOjE2MDYzMjA1NTYsImV4cCI6MTYwNjMyNDE1NiwiaXNzIjoiaHR0cHM6Ly9hdXRoLWxvY2FsLmluZ28ubW9uZXk6NTUwMDEiLCJhdWQiOlsiSWRlbnRpdHlJbnNpZ2h0cy5BcGkiLCJodHRwczovL2F1dGgtbG9jYWwuaW5nby5tb25leTo1NTAwMS9yZXNvdXJjZXMiXSwiY2xpZW50X2lkIjoiTmV0U3BlbmQiLCJpZGVudGl0eS5zY29yaW5nIjoidHJ1ZSIsImp0aSI6IjlEODREMjUyOUQyNTY4NTMwQzI1RTY4NDA0MTdFQzAxIiwiaWF0IjoxNjA2MzIwNTU2LCJzY29wZSI6WyJodHRwczovL2FwaXMuaW5nby5tb25leS9hdXRoL2luc2lnaHRzL2lkZW50aXR5LXNjb3JlIl19.W8Sz3_A_8sJr2p_zqbhrAisr8ECwu5cVYdxVlMqYzEwI4l22_ulIVwRpKNWEmp7wlngnSV5cl9fwoj5QqOSwZoixsk4sFGk6vcZcdbmutOvum-Q7lZ1iTwfwpQv_Q2Cp__NHc9KFSD3KR8qFdAucE5UlOr5VvOb__r-mvtvL1f1HYRRG2JSkkzjXy04Nbn-UKcvYm0VoqL3vaye3-uOPyo9NI0mMcgJCJpM1jmnM6BkdZOr2zvd4-jOt2FOcZWlHCoeGf8YFm4RWCF6o3MNIxbrOqxfZ8YKztmBIxTUnWe6GPtbkU16FYIbgdp4uaJcr3YQIvgPt0FhT-tXxr8qjdQ",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "https://apis.ingo.money/auth/samples/dotnet-core-api"
}

To improve performance, it is recommended that the client can reuse the access_token for back-to-back API calls.

The expires_in response parameter can guide the storage / cachsing mechanisms and timing of when the client’s system needs to request a new access_token