Security of the open banking specification is based on the OAuth 2.0 authorization specification. For simplicity, it has been designed to use the OpenID Connect (OIDC) implementation of the specification due to its robustness and ease of understanding. This means all connecting clients would be given an id_token
together with an access_token
and refresh_token
as defined by the specification. The table below describes the tokens and how they should be used.
Token Type | Description |
---|---|
id_token | This is a JWT token that contains public information* about the authenticated user (bank customer). The information encoded in this token contains claims such as account_number , phone_number , email , customer_type and any claims defined under the open_id scope section. |
access_token | This is another JWT token that would be required to access any secured API resource on the resource server*. |
refresh_token | This token is required to obtain a new access_token and therefore is expected to have a longer time_to_live than the original access_token . |
public information *
The available public claims under the
open_id
scope are as follows;
phone_number
: The phone number of the authenticate bank customer.
account_number
: The primary account number of the authenticated userPS: All this information can also be retrieved using the
/userinfo
endpoint as defined by OIDC
resource server *
The resource server is the OAuth 2.0 term for your API server, in this case, the open banking APIs. The resource server handles authenticated requests after the application has obtained an access token.
How to authenticate
Every request to an Open Banking Nigeria API endpoint should have HTTP header containing a valid API key that we use to authenticate the account:
Authorization: The access_token
from the /oauth/token call
Credentials can be obtained from your bank's Open Banking portal or from Open Banking Nigeria sandbox
Authenticate request on sandbox
curl -v https://api.openbanking.ng/api/v1/endpoint \
-H "Authorization: Bearer {replace-it-with-your-access-token}"
-H "Content-Type: application/json"
Authentication errors
You might get errors described below when authentication fails. You can read more about response and errors on Response.
{
"status": "ERROR",
"message": "Access Denied",
"code": "UNAUTHORIZED"
}