Web SDK

Authentication

Get started making calls to the Open Ledger API.

Obtaining API Credentials

1

Obtain your client credentials

OpenLedger uses OAuth2’s client credentials flow to authenticate API requests. To access the API, you’ll need a set of client_id and client_secret tokens provided by our team.

Contact us to request API credentials and discuss your integration needs.

2

Get your bearer token

OpenLedger API calls require a bearer access token. To receive an access token, send your client_id and client_secret in a POST request to our authorization server:

$POST https://{provided_url}/oauth/token
>Content-Type: application/json
>
>{
>  "client_id": "your-client-id",
>  "client_secret": "your-client-secret",
>  "audience": "https://api.openledger.ai",
>  "grant_type": "client_credentials"
>}

The authorization server will respond with your granted access token:

1{
2  "access_token": "your-access-token",
3  "token_type": "Bearer",
4  "expires_in": 36000
5}

Include the access_token in the Authorization header as a Bearer token for all subsequent API requests.

Access tokens expire after 1 hour. To refresh your access token, make another call to Open Ledger’s authorization endpoint with your client_id and client_secret. We recommend refreshing tokens for new sets of requests rather than persisting access tokens.

Overview

Open Ledger ensures that all API interactions are secure and authenticated using Auth0, with fine-grained permissions and UUIDs for enhanced security.

Using UUIDs

Each entity within the Open Ledger system (e.g., transactions, companies, developers) is identified by a UUID (Universally Unique Identifier). UUIDs ensure that each entity is globally unique and secure.

Fine-Grained Permissions

Fine-grained permissions allow you to specify exactly what data each authenticated user can access. When setting up your Auth0 roles, you can define permissions that match your organization’s security policies. Example of role-based access control (RBAC):

  • Admin: Full access to all API endpoints.
  • Developer: Access limited to developer-related endpoints.
  • Auditor: Read-only access to financial reports and transactions.

Best Practices

  • Rotate API keys regularly and use environment variables to store them.
  • Track API usage and access patterns to detect any anomalies.

For further assistance with setting up authentication, please contact our support team.