Authorization via JWT

JWT is a way for a bank to authorize an operation via call-back

Process flow for request authorization

JWT is sent at step 3 via a call-back URL. In case a response fails, the operation is declined.

The system supports 2 ways of JWT creation. Both approaches can be used simultaneously.

⬇️Description
✅Advantage
🤔Drawback

DCM generates a JWT.

Bank validates it against a DCM public key

No efforts to implement:

  • a key storage

  • a function to generate a JWT

DCM is capable to manually confirm requests to Identifiers.

Access rules for employees are controlled by DCM.

  • The private key belongs to DCM

  • A csrf_token must be obtained with login-password flow

Header Authorization must contain an actual csrf_token.

JWT by Bank

At step 2 Bank generates JWT, that is used at step 5 in header CX-Authorization when Bank Employee makes an operation (e.g. creates a new customer). At step 6 DCM validates the JWT. The same does the bank at step 8.

Steps 3-4 are optional and can be used to check if the JWT is valid.

Register JWK by bank

To jump-start the flow when JWT by bank is used, please register at least one JWK key in our authentication service for your counterparty.

Create jwk

post

Create jwk

Path parameters
counterparty_guidstringRequired

Counterparty GUID

Body
Responses
200

OK

application/json
post
/counterparty/{counterparty_guid}/jwk
POST /api/v1/counterparty/{counterparty_guid}/jwk HTTP/1.1
Host: your_host
Content-Type: application/json
Accept: */*
Content-Length: 47

{
  "data": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  }
}
{
  "guid": "text"
}
Request example
{"data": {
	"alg": "RS256",
	"e": "AQAB",
	"kid": "54321",
	"kty": "RSA",
	"n": "14FGZls6nrBLY2XH9Dn6UVoY24oynIXJX1PGz6c4wB2Q3DpBj-zPwouhXCQSAGyQB4Co0FN0_pML5g1xSOMY1SccBGZ_CxhdSvyskP01Fr0_rHidIdRIc69k-UPzhnk6Nx_F1uFp8105jUD2Tq_VYIS49rqtct4UQOL5PPzfTOUqBMAEBwvL65KqUAOciC1ae_LV6SHZQXdIqv3EZzA3PxZ4pTa6DvnjgVAbP2zNANUFSnuemvTmQbH05E0qTtGkXugwcc4jCfnOWS4gix2GWDoIhwCi8AbK4aAN-H3D770rF4z4Tb59DEw8-8hZQZtyoJeEi8FWNM1Y6Ki5FMxzpQ",
	"use": "sig"
}}

Get list of registered keys for bank JWT

When a JWK is registered, you may check if it exists in our register storage.

Get jwks

get

Get jwks

Path parameters
counterparty_guidstringRequired

Counterparty GUID

Responses
200

OK

application/json
get
/counterparty/{counterparty_guid}/jwk
GET /api/v1/counterparty/{counterparty_guid}/jwk HTTP/1.1
Host: your_host
Accept: */*

{
  "keys": [
    {
      "created_at": "text",
      "data": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "guid": "text",
      "updated_at": "text"
    }
  ]
}

Check Bank JWT

This feature allows you to check your JWT in our authentication service with no changes to any objects and processes.

Authenticate

post

Authenticate

Path parameters
counterparty_guidstringRequired

Counterparty GUID

Header parameters
CX-AuthorizationstringRequired

Counterparty JWT

Responses
200

OK

application/json
post
/counterparty/{counterparty_guid}/jwk/authenticate
POST /api/v1/counterparty/{counterparty_guid}/jwk/authenticate HTTP/1.1
Host: your_host
CX-Authorization: text
Accept: */*

{
  "session_token": "text"
}

JWT by DCM

Default scheme (when the JWT is created by DCM) allows you to use the role-based access to the features of the processing system.

DCM generates JWT token at step 4. The bank validates it at step 6.

Get list of registered keys for DCM JWT

You may verify our JWT in your Bank Auth Service using our public key by its kid.

Get list of registered keys for DCM JWT

get

Get list of registered keys for DCM JWT

Responses
200

OK

application/json
get
/.well-known/jwks.json
GET /api/v1/.well-known/jwks.json HTTP/1.1
Host: your_host
Accept: */*

{
  "keys": [
    {
      "alg": "text",
      "e": "text",
      "kid": "text",
      "kty": "text",
      "n": "text",
      "use": "text"
    }
  ]
}
PreviousAuthentificationNextBank authorization

Last updated