Authentication

If you already have an account, you can use your OAuth token to perform calls.

However, to go live as an integration, you will need to request a clientId and clientSecret and use the machineToMachine token endpoint. Your clientId and ClientSecret are unique to you as a partner and can be used to access other linked accounts if they are authorized to you. Never share your clientId or secret with anyone else.

Don't forget to cache this token. You should only request a new one when your current one has expired. The token is specific for your partner integration and permits access to all connected customer accounts.
You can use this tool to see the contents of the token.

📘

API Credentials

Please be aware that we provide one clientId and one clientSecret which allows access to all connected customer accounts and these credentials don't change per integrated account.

When we call your endpoint

With every call we make to an endpoint on your system, we include an HMAC header.HMAC stands for Keyed-Hashing for Message Authentication code and is a HASH signature that we set based on the payload and a pre-shared secret.

We use the SHA256 cryptographic hash function to calculate the hash and with this will allow you to validate that we are the ones calling your endpoints.

HMAC secrets will only be provided for certified partners prior to moving into production, at which point this will be communicated to you in a secure way. Before providing an HMAC secret to you, the request is signed using the channelLinkId as HMAC secret.

For more information about HMAC and how it works please visit wikipedia

🚧

When calculating the HASH on your end, make sure you do this based on the payload as its received and don't process, parse or otherwise touch it before doing so.