Skip to main content

API Authentication

In addition to the explanations on the API Authorization page for all Fenergo APIs, the Transaction Monitoring APIs use a slightly different method of authentication and authorization. In the following document, we will check and discuss the Client Credentials flow for authentication and acquiring the token for authorizing against the Fenergo Transaction Monitoring APIs.

API Client Credentials

When Authenticating against the Fenergo APIs, we use the Client Credential flow. In this scenario the credentials (which are made up of a client id and secret) are only sent ONCE upon authentication. Once validated, an access token is returned to use in all subsequent calls. This protects the credentials as they are not required for each call and the access token acts as a surrogate for actual credentials. The type of token used by fenergo is called a Bearer Token. The value of the access token itself is passed in a header called authorization (appended with the string Bearer).

Fenergo API Access Token
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZxxxxxxxXXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxxXXXxxn2rpK61tgg",
    "expires_in": 900,
    "token_type": "Bearer",
    "scope": "xxxxxxx"

Authentication and authorization

The OAuth2 protocol is used for authentication and authorization.

Required details:

  • Grant type: Client Credential
  • Token URL: Provided by the Customer Success Team

The following BASH command shows how the JWT token can be fetched. Be sure to use the right client ID and client secret.

curl -i -H 'Content-Type: application/x-www-form-urlencoded' -X POST 'https://token_url -d 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=YOUR_TENANT_SCOPE'

Tenant Scopes

For acquiring an access token you can always use the tenant/<tenant-id> scope in order to authorize using the client credentials flow.

Using the access token

After successfully acquiring the Access Token, you can call any of the available APIs, as mentioned before by including the access token in the authorization header for each request.