Authenticate
OAuth 2.0 is a popular protocol for authorization. This controls entry to our system and ensures that only authorized entities can access our APIs and other protected resources. The information you enter into our authentication system is confidential and can never be accessed from any other Cross River applications.
Our system authenticates machine clients and authorizes them to talk to our APIs.
The Cross River Integration Team provides you with a client_id and a client_secret that you use when requesting an access token. You can use a web-based tool, like Postman, to send API requests.
HTTP component | Attribute | Description |
---|---|---|
Endpoint | POST /connect/token | Endpoint for retrieving an access token. |
Header | content-type | application/x-www-form- urlencoded |
Body | grant_type | This field will always have a value of client_credentials Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated. |
Body | client_id | The unique identifier for a client. |
Body | client_secret | An encrypted string of characters used to sign and validate ID tokens. Important: Don’t commit your secrets into source control. Secrets aren't recoverable by CR. If you lose a secret, a new one must be generated. |
Body | scope | A specific range or a limited set of services that a user can access with an access token. - If the required scope is missing, the subsequent API call will be returned as forbidden (403). - If a scope isn't specified, the token returned will contain all scopes associated with your credentials. Note: Multiple scopes can be sent in the same request by adding a space between the name of each scope. For example: 'scope=scope1 scope2 scope3' |
When you've successfully authenticated, an access_token will be returned to you. This access token allows you to send information securely as a JSON object for use in our APIs. Add this token to the header of your API calls.
IMPORTANT Make sure to protect your token. Don’t log it. Anyone who steals your token can impersonate your client for the lifetime of the token.
Response attributes
access_token | A digitally signed JSON web token (JWT) sent from the oAuth server that allows access to specific Cross River resources. |
---|---|
scope | A range of services that a user can access. |
expires_in | The amount of time until the token expires.
IMPORTANT: Make sure to never decode your token on a publicly hosted website. |
token_type | Bearer token. |
Sample Postman access token return
If the authentication is successful, the Status code is OK.
Sandbox URL: https://oauthtest.crbnj.net/connect/token
Production URL: https://oauth.crbnj.net/connect/token
You can test the authorization and authentication into our systems with this endpoint, GET /api/SignupCard/TestOauth. If the authentication token is valid, it will return a 200. If the authentication token isn't valid, it will return a 401.
If you can't get a bearer token and you haven't received one in the past:
- Confirm the URL.
- Check that the client_id and client_secret are typed correctly. They are case sensitive.
- Check your client_id and client_secret against the one you received.
- Make sure there are no network or allowlist issues.
Contact our Integration Team if your account is locked as a result of 3 incorrect log in attempts.