Authorization (OAuth 2)

To call most of the APIs, you have to follow an authorization process based on OAuth2 protocol.

This process verifies both the client application (you) and the customer. It is also set up in a way that customer credentials are not stored within your infrastructure. They are provided by the customer directly to the bank, thus not only guaranteeing actual security, but also providing the assurance of its existance to all sides. 

oAuth access_code flow

This is achieved by following three steps.

  • Call Authorization URL (as noted in the security section of the API definition).  A SAMPLE Authentication URL is in the form :, where :

  1. APPLICATION_ID is the id that was provided durring application registration.
  2. APPLICATION_REDIRECT_URI is a link that you have to provide when you register the application. This link will be called (with redirection) via a code that will be produced at the end of this call in case of a successfull loginAPI.
  3. API_SCOPE is for applications in production mode or /sandboxapi for applications in development mode.

   The result of this call is a code that is needed in the next step.


  • Call Token URL. A SAMPLE Token URL is in the form:

The parameters needed should be passed in the body form-urlencoded.  The parameters are as follows:

    1. grant_type is always authorization_code
    2. client_id is the application id, the same that you will pass in the x-ibm-client-id header in the rest of the apis
    3. client_secret is the application secret, that you noted down durring the application creation.
    4. code is the value returned from the authorization url you just called.  this code is short lived, so the token call should be called just after
    5. redirect_uri is the uri declared in the app

    This call returns an access token, that is needed for all APIs that access user information. 

  •  Call an API. The previous access token is passed in the Authorization header in the form "Bearer <token>", where "token" is the access token.  More details are provided in the "API Calls" section.

The ACTUAL Authorization and Token URLs are available in each API's specification, provided in the section API Products :

Authorization & Token URLs



If the application you want to implement is not a web application, and you cannot provide a redirect url to be called, there is a technical solution to get the intermediate code.  In a desktop application, a web control must be used to initiate the authorization proccess, and a dummy redirect url.  When the user provides his/her credentials and authorizes your application for access, this control will try to redirect to the dummy redirect url, which will contain the code as a parameter.  This is the parameter you need to capture, in order to use it for the token call (second step).