Authentification
How to log in to the system with an employee credentials
Table of contents
Overview
In order to work with DCM you should be authenticated and authorized in the system.
A JWT token signed by bank's key accompanies every request to API (step 1).
Additional step 3 is used to authorize the request by bank.

How to integrate using a JWT?
Below an example for customer registration is depicted.

At step 8 the bank is able to validate if the value in
X-Session-ID
is signed by the DCM key.Later at step 7 DCM prepares its own JWT and sends it to Bank API endpoint /user_auth in a header
X-Session-ID
.At step 6 DCM validates the JWT.
As you can see, at step 2 Bank generates a JWT (in blue) that is sent at step 5 in a header
CX-Authorization
.
Steps 3-4 are optional and can be used to check if the JWT is valid.
Update a JWK
Initial JWK is uploaded into the system during onboarding (see ). Once your key is about to expire, please register the new JWK key for your counterparty.
Update jwk
Counterparty GUID
JWK GUID
PUT /api/v1/counterparty/{counterparty_guid}/jwk/{jwk_guid} HTTP/1.1
Host: your_host
Content-Type: application/json
Accept: */*
Content-Length: 47
{
"data": {
"ANY_ADDITIONAL_PROPERTY": "anything"
}
}
{}
Validate bank's JWT
The endpoint allows you to check your own JWT in our authentication service.
Authenticate
Counterparty GUID
Counterparty JWT
POST /api/v1/counterparty/{counterparty_guid}/jwk/authenticate HTTP/1.1
Host: your_host
CX-Authorization: text
Accept: */*
{
"session_token": "text"
}
Check list of JWKs by DCM
The endpoint allows you to get a DCM public key. So, you will be able to check a JWT signed by DCM.
Get list of registered keys for DCM JWT
GET /api/v1/.well-known/jwks.json HTTP/1.1
Host: your_host
Accept: */*
{
"keys": [
{
"alg": "text",
"e": "text",
"kid": "text",
"kty": "text",
"n": "text",
"use": "text"
}
]
}
JWT format
JWT is used for all 3 methods in header X-Session-ID
to specify "who" (subject) intends to do with "what" (object). The content of JWT must by signed with a bank's private key.
An example of a JWT payload:
An example of a JWT payload:
{
"flow": "sign-in" // constant: sign-in
"obj": "123456789", // object - identifer of a customer (e.g. IBAN or phone number)
"sub": "[email protected]", // subject identifier
"iat": 1684501806, // issued at
"exp": 1684501806, // expires at
}
So, when a callback is received on bank's side, it is possible for your systems to check a signature, object and subject that you placed into an initial request to API methods of TPN.
Example of a full signed JWT:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjljMzdlYjc5LWI2YmYtNDQzNC1hYzNhLTM1NTZjOGI0YjBmNyIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTIxNzIzODUsImZsb3ciOiJzaWduLXVwIiwiaWF0IjoxNjkyMTcyMDg1LCJvYmoiOiJlbWlzc2lvbl8wIiwic3ViIjoiYWRtaW5fYmFuazFAc3RhZ2UudGVzdCJ9.Woh-N-4jeK90rmSbOtAZLno4rCBnWBUOi-PaB6as1lnips966Io19tiK5RQ0aDOoFTrRkGbm01HlDZpHxquI2-BMJfqifY7_QYknge1mHiGIn1lw6W4fBaYcHT2MPJ59ATvzAlt-WMxI6jppsH0tK4ITIUXOfsf6F6flFr1gfWu2HAmys1jxWnKuzRcFpm24Vjoij5exoBlb3wJUaIzJCezJmEAeAqtENZyzpozwRzthDbxhFvkDrm78mMfmjvvvwqdsSAjmKj7apnx0qOqRuKhiFZNbs9aftQqWIGPZ3VaTWIXgksLxiY5xVcf275awYmtZBD7mHeRNIwVYUDWzMQ
The content can be decoded here.
If all the checks pass on your side, a successful response (see details below) should be sent. Otherwise an HTTP 401 (Unauthorized) is expected.
Authorization via callbacks
3 API methods on Bank's side are required to share the account ownership between Bank and DCM.
GET
/user_auth
user data
GET
/key
user secret key
GET
/external_id
authentication
Callback specification
GET /user_auth
Request example:
curl "https://{bank's auth host}/user_auth" --header "X-Session-ID:token"
Response example:
{
"external_id":"123456789", // up to 500 symbols
"first_name":"mock",
"last_name":"mock",
"email":"[email protected]",
"phone":"+12345678901",
"key":"secret"
}
Attributes external_id
, key
and phone
are obligatory in response.
GET /key
Request example:
curl "https://{bank's auth host}/key" --header "X-Session-ID:token"
Response example:
{
"key":"secret"
}
GET /external_id
Request example:
curl "https://{bank's auth host}/external_id" --header "X-Session-ID:token"
Response example:
{
"external_id":"123456789"
}
Last updated