Authentication

Secure your API requests with authentication.

The Open Ledger API uses JWT tokens to authenticate requests. You must include an authentication token with every API request.

API Keys and Token Generation

API keys are used to generate JWT tokens for authenticating requests to the Open Ledger API. Each account can have multiple API keys for different environments and purposes.

Obtaining API Keys

To get your API keys, please contact our team to request API access. Our team will set up an account for you and provide the necessary credentials.

Your API keys carry significant privileges. Never share your API keys in publicly accessible areas such as GitHub, client-side code, or in your application’s source code.

Generating a JWT Token

To generate a JWT token, make a POST request to the token generation endpoint:

1POST /v1/developers/auth/generate-token
2Content-Type: application/json
3
4{
5 "developerId": "yourDeveloperId",
6 "apiKey": "yourApiKey"
7}

This endpoint returns a JWT token that you’ll use for subsequent API requests:

1{
2 "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
3 "token_type": "Bearer",
4 "expires_in": 3600
5}

Authentication Methods

Bearer Token Authentication

All API requests must include the JWT token in the Authorization header:

1Authorization: Bearer YOUR_JWT_TOKEN

Example request using bearer token authentication:

$curl https://api.openledger.com/v1/transactions \
> -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6..." \
> -H "Content-Type: application/json"

Entity Context

Many API endpoints require you to specify which entity’s data you’re working with. You can provide the entity ID as a query parameter:

1?entityId=entity_12345

Entity-Scoped tokens

You’ll likely want to generate entity-scoped tokens for your users to be able to access only their own entity’s data

1POST /v1/entities/auth/generate-token
2Content-Type: application/json
3
4{
5 "apiKey": "yourApiKey",
6 "developerId": "yourDeveloperId",
7 "entityId": "userEntityId"
8}

Authentication Errors

If your authentication is invalid or expired, the API will return a 401 Unauthorized response:

1{
2 "error": {
3 "message": "Authentication credentials are invalid or expired"
4 }
5}

If you’re missing the required entity context, the API will return a 400 Bad Request response:

1{
2 "error": {
3 "message": "Required parameter entityId is missing"
4 }
5}

Sandbox Environment

For development and testing, you can use our sandbox environment. To set up a sandbox environment with test data, use the sandbox endpoint:

1POST /v1/sandbox
2Content-Type: application/json
3
4{
5 "name": "Test User",
6 "developer_id": "your_developer_id",
7 "industry": "Fintech",
8 "preferences": {
9 "currency": "USD",
10 "timezone": "UTC",
11 "locale": "en"
12 }
13}

This will create a new sandbox environment including a developer account, entity, ledger structure, and Plaid sandbox bank connections. It will also return a JWT token for API access.

Security Best Practices

  1. Store API keys securely: Never hardcode API keys in your application code or expose them in client-side JavaScript.

  2. Use environment variables: Store your API keys as environment variables rather than in your application code.

  3. Implement secure token storage: Store JWT tokens securely, especially in browser environments.

  4. Monitor API usage: Regularly review your API logs to detect any unauthorized or suspicious activity.

  5. Use HTTPS: Always use HTTPS for API requests to ensure encrypted communication.

  6. Set short token lifetimes: Request new tokens periodically to limit the impact of token exposure.

Need Help?

If you need assistance with API authentication or have any questions about accessing our API, please contact our support team.