Authentication

Learn about implementing authentication for your integration.

Overview

The Embed API uses OAuth 2.0 Bearer Token to authenticate requests. To get your credentials, please follow the steps below:

Step 1

Create a developer account. Once you create a developer account on the Embed API Dashboard, by default, you get a pair of test authentication credentials: client_id, and client_secret. This key pair is used to generate an access token that allows access to all the API endpoints.

Heads Up
Please note that to go live with your production credentials, however, you will need to complete your company profile.
Be Safe
Your API keys carry privileges, kindly keep them secure! Only use your key pairs on the server-side, they are not client-side keys. Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, etc.

Step 2

Get your API credentials from the dashboard. To do this, simply tap on your profile picture (or the notice at the top of the home screen), then select the account option. Once on that page, you can see your API credentials both for sandbox and production environments.


Step 3

You can obtain an access token with your credentials (client_id and client_secret)
by making a POST call to the token endpoint.

Endpoints
SANDBOX URL: https://sandbox.embed.cowrywise.com/o/token/
PRODUCTION URL: https://production.embed.cowrywise.com/o/token/
curl -d "grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET" 
  -H "Content-Type: application/x-www-form-urlencoded" 
  -X POST https://sandbox.embed.cowrywise.com/o/token/
{
  access_token: ACCESS_TOKEN,
  expires_in: 3600,
  token_type: 'Bearer',
  scope: 'read write'
}

Step 4

To make API calls, pass the access token through the HTTP Authorization header, such as Authorization: Bearer {access_token}.

When an access token expires, the API will return the HTTP 401 Unauthorized status. You will need to obtain a new access token when that happens. All API calls must include the bearer access token as every endpoint is token-protected.

curl -X GET 'https://sandbox.embed.cowrywise.com/api/v1/accounts/3e874c0884cc4b08b8802442504edcad' 
  -H 'Authorization: Bearer ACCESS_TOKEN'
{
  account_id: '3e874c0884cc4b08b8802442504edcad',
  account_number: 186227749,
  first_name: 'Adamu',
  last_name: 'Jones',
  email: 'ecsa@gmail.com',
  risk_appetite: 0
  ...
}