Authentication

The Financeable Aggregation API uses OAuth 2.0 client credentials grant type for authentication. This industry-standard protocol ensures secure, token-based access to API resources.

Overview

OAuth 2.0 client credentials flow is designed for server-to-server authentication where:

• Your application acts as the client
• You have a client ID and client secret (obtained from Financeable)
• You exchange these credentials for an access token
• You use the access token to make authenticated API requests

Credential Issuance

Before you can authenticate, you must be issued OAuth credentials by Financeable. This one-time process provides you with the client ID and client secret needed for all subsequent authentication requests.

The diagram above illustrates the credential issuance process. Once issued, these credentials enable your application to authenticate and access the API.

Authentication Flow

1. Obtain credentials - Contact Financeable to receive your client ID and client secret
2. Request access token - Exchange credentials for an access token
3. Make API requests - Include the token in the Authorization header
4. Token renewal - Request a new token before expiration

Security Best Practices

• Never expose credentials in client-side code or public repositories
• Store credentials securely using environment variables or secret management systems
• Rotate credentials regularly and when team members leave
• Use HTTPS only for all API communication
• Implement token caching to minimize token endpoint requests
• Handle token expiration gracefully by refreshing before expiry

Scopes

The API supports two scopes that control access levels:

• applications:read - Read access to application resources
• applications:write - Full access to create and read applications

Request only the scopes your application needs. Multiple scopes can be requested by space-separating them.