The MBAPI uses three main forms of credential verification for secure authentication.
- API Keys
- HMAC Signatures
- Authorization Tokens
When you sign up for an account, you will be granted your own unique set of API credentials. The two main credentials you will need is the Medici Bank API Key
MBAPI-KEY and the Medici Bank API Secret
Your API Key is public and should be passed along within your API call headers. (More on Headers later). You API Secret is private and should not be passed along (or exposed) in any public setting. Failure to do so can allow for a hacker to create API requests on your behalf. Your account will be suspended if a breach or unexpected activity is detected on your account.
In order to secure each request, we enforce that each call be sent as a Hash-based Message Authentication Code or HMAC Signature. For more on how to construct the HMAC signature, go to Making Requests.
As a third layer of security, we require users of the API to create a MBAPI-AUTHTOKEN via our
/authenticate API call. Tokens expire after 15 minutes and you would pass the token via the Authorization Header.
Authorization: Bearer MBAPI-AUTHTOKEN
Next, we will look at the API Methods we allow…