Authentication
Secure your API requests with authentication.
The Open Ledger API uses JWT tokens to authenticate requests. You must include an authentication token with every API request.
API Keys and Token Generation
API keys are used to generate JWT tokens for authenticating requests to the Open Ledger API. Each account can have multiple API keys for different environments and purposes.
Obtaining API Keys
To get your API keys, please contact our team to request API access. Our team will set up an account for you and provide the necessary credentials.
Your API keys carry significant privileges. Never share your API keys in publicly accessible areas such as GitHub, client-side code, or in your application’s source code.
Generating a JWT Token
To generate a JWT token, make a POST request to the token generation endpoint:
This endpoint returns a JWT token that you’ll use for subsequent API requests:
Authentication Methods
Bearer Token Authentication
All API requests must include the JWT token in the Authorization
header:
Example request using bearer token authentication:
Entity Context
Many API endpoints require you to specify which entity’s data you’re working with. You can provide the entity ID as a query parameter:
Entity-Scoped tokens
You’ll likely want to generate entity-scoped tokens for your users to be able to access only their own entity’s data
Authentication Errors
If your authentication is invalid or expired, the API will return a 401 Unauthorized
response:
If you’re missing the required entity context, the API will return a 400 Bad Request
response:
Sandbox Environment
For development and testing, you can use our sandbox environment. To set up a sandbox environment with test data, use the sandbox endpoint:
This will create a new sandbox environment including a developer account, entity, ledger structure, and Plaid sandbox bank connections. It will also return a JWT token for API access.
Security Best Practices
-
Store API keys securely: Never hardcode API keys in your application code or expose them in client-side JavaScript.
-
Use environment variables: Store your API keys as environment variables rather than in your application code.
-
Implement secure token storage: Store JWT tokens securely, especially in browser environments.
-
Monitor API usage: Regularly review your API logs to detect any unauthorized or suspicious activity.
-
Use HTTPS: Always use HTTPS for API requests to ensure encrypted communication.
-
Set short token lifetimes: Request new tokens periodically to limit the impact of token exposure.
Need Help?
If you need assistance with API authentication or have any questions about accessing our API, please contact our support team.