Introduction

Security of the open banking specification is based on the OAuth 2.0 authorization specification. For simplicity, it has been designed to use the OpenID Connect (OIDC) implementation of the specification due to its robustness and ease of understanding. This means all connecting clients would be given an id_token together with an access_token and refresh_token as defined by the specification. The table below describes the tokens and how they should be used.

📘

public information *

The available public claims under the open_id scope are as follows;

email: The email address of the authenticate bank customer.
phone_number: The phone number of the authenticate bank customer.
account_number: The primary account number of the authenticated user

PS: All this information can also be retrieved using the /userinfo endpoint as defined by OIDC

📘

resource server *

The resource server is the OAuth 2.0 term for your API server, in this case, the open banking APIs. The resource server handles authenticated requests after the application has obtained an access token.

How to authenticate

Every request to an Open Banking Nigeria API endpoint should have HTTP header containing a valid API key that we use to authenticate the account:

Authorization: The access_token from the /oauth/token call

Credentials can be obtained from your bank's Open Banking portal or from Open Banking Nigeria sandbox

Authenticate request on sandbox

curl -v https://api.openbanking.ng/api/v1/endpoint \
-H "Authorization: Bearer {replace-it-with-your-access-token}"
-H "Content-Type: application/json"

Authentication errors

You might get errors described below when authentication fails. You can read more about response and errors on Response.

{
  "status": "ERROR",
  "message": "Access Denied",
  "code": "UNAUTHORIZED"
}