Authentication
This guide will walk you through the steps to authenticate your requests and access Alpha Connect securely.
Obtain client ID and secret
Before you can authenticate requests, you need to request API credentials. Contact your Alpha Client Services Manager to request a client ID and secret.
There will be separate credentials for the production environment and for the sandbox. See the authorisation API documentation section for technical implementation.
Get Bearer Token
Once you have your client ID and secret, you can request an OAuth 2.0 bearer token from our authentication server. The bearer token has an expiry time of 1 hour, so you will have to re-request if your session is longer than an hour.
Example
POST <https://sandbox.api.alphagroup.com/api/v1/oauth2/token>
Body Content Type:
w-www-form-urlencoded
| Key | Value | Details |
|---|---|---|
grant_type | client_credentials | Fixed value of "client_credentials" |
client_id | {API Key} | Unique Client Id |
client_secret | {Client Secret} | Unique Client Secret |
scope | {scope} | Specify the services available for requests |
authorization | {Key & Secret} | Optional way of passing encoded credentials |
Response
| Name | Type | Description |
|---|---|---|
access_token | string | This is the token that needs to be included in the header of all requests |
expires_in | Integer | 3600 - number of seconds until expiry |
token_type | string | Bearer |
Authorise Requests
In your HTTP requests be sure to add a header with the key authorisation and the value “Bearer “ and {token}. Replace {token} with the actual bearer token you get from the authorisation server.
Encoded authorisation
For additional security you can choose to Base64 encode an authorisation request.
Combine the client ID and secret into a single string, then encode it using Base64 before including it in the Authorisation header of the HTTP request. You can test this on the authorisation API reference page.
Scope
Tokens can have limited scope meaning they will only be able to access certain services provided within the API. This can be useful if you want given systems to be limited to certain functionality. Populating the scope field will specify scope, leaving it empty will grant scopes.
The references to these can be seen below.
| Service | Environment | Scope |
|---|---|---|
| Reporting API | Sandbox | preprod-api/reporting |
| FX API | Sandbox | preprod-api/fx |
| Reporting API | Production | prod-api/reporting |
| FX API | Production | prod-api/fx |
Authenticate via Postman
See our guide on how to authenticate from postman.
HTTPS Encryption
Ensure that all API requests are made over HTTPS to encrypt the data transmitted between your application and our server. HTTPS encryption adds an extra layer of security by protecting the integrity and confidentiality of your data during transmission.
Handle Authentication Errors
In case of authentication errors, our API will return an appropriate error response with the relevant HTTP status code (e.g. 401 Unauthorized). Please handle these errors gracefully in your application and prompt the user to re-authenticate by getting a new token with the new time to leave.
Securely store client ID and secret
Store your API key securely and avoid hardcoding it directly into your application code. Consider using environment variables or secure storage mechanisms provided by your development platform to store sensitive information such as API keys and passwords.
Rotate API client ID and secret
It is best practice to periodically rotate your API client ID and secret. By regularly requesting new API keys and retiring old ones, you can minimise the risk of unauthorised access and enhance the security of your account and data.
End session
By sending a request to the session termination endpoint, the active session will end, revoking access to the API resources. This termination process can help prevent unauthorised access and potential security breaches, particularly in cases where access credentials have been compromised or when users or applications no longer require access to the API.
Leveraging this endpoint to terminate API sessions enhances data security and helps maintain efficient API management practices.
Stay Safe
By following these authentication best practices, you can securely authenticate your requests and access Alpha Connect with confidence.
If you have any questions or encounter any issues regarding authentication, don't hesitate to reach out to our support team for assistance.
Updated 16 days ago