Authorization via JWT

JWT is a way for a bank to authorize an operation via call-back

JWT is sent at step 3 via a call-back URL. In case a response fails, the operation is declined.

The system supports 2 ways of JWT creation. Both approaches can be used simultaneously.

⬇️Description

✅Advantage

🤔Drawback

DCM generates a JWT.

Bank validates it against a DCM public key

No efforts to implement:

a key storage
a function to generate a JWT

DCM is capable to manually confirm requests to Identifiers.

Access rules for employees are controlled by DCM.

The private key belongs to DCM
A csrf_token must be obtained with login-password flow

Header Authorization must contain an actual csrf_token.

JWT by Bank

At step 2 Bank generates JWT, that is used at step 5 in header CX-Authorization when Bank Employee makes an operation (e.g. creates a new customer). At step 6 DCM validates the JWT. The same does the bank at step 8.

Steps 3-4 are optional and can be used to check if the JWT is valid.

Register JWK by bank

To jump-start the flow when JWT by bank is used, please register at least one JWK key in our authentication service for your counterparty.

Create jwk

post

Create jwk

Path parameters

counterparty_guidstringRequired

Counterparty GUID

Body

Responses

200

application/json

400

json with error msg

application/json

post

/counterparty/{counterparty_guid}/jwk

POST /api/v1/counterparty/{counterparty_guid}/jwk HTTP/1.1
Host: your_host
Content-Type: application/json
Accept: */*
Content-Length: 47

{
  "data": {
    "ANY_ADDITIONAL_PROPERTY": "anything"
  }
}

{
  "guid": "text"
}

Request example

{"data": {
	"alg": "RS256",
	"e": "AQAB",
	"kid": "54321",
	"kty": "RSA",
	"n": "14FGZls6nrBLY2XH9Dn6UVoY24oynIXJX1PGz6c4wB2Q3DpBj-zPwouhXCQSAGyQB4Co0FN0_pML5g1xSOMY1SccBGZ_CxhdSvyskP01Fr0_rHidIdRIc69k-UPzhnk6Nx_F1uFp8105jUD2Tq_VYIS49rqtct4UQOL5PPzfTOUqBMAEBwvL65KqUAOciC1ae_LV6SHZQXdIqv3EZzA3PxZ4pTa6DvnjgVAbP2zNANUFSnuemvTmQbH05E0qTtGkXugwcc4jCfnOWS4gix2GWDoIhwCi8AbK4aAN-H3D770rF4z4Tb59DEw8-8hZQZtyoJeEi8FWNM1Y6Ki5FMxzpQ",
	"use": "sig"
}}

Get list of registered keys for bank JWT

When a JWK is registered, you may check if it exists in our register storage.

Get jwks

get

Get jwks

Path parameters

counterparty_guidstringRequired

Counterparty GUID

Responses

200

application/json

400

json with error msg

application/json

get

/counterparty/{counterparty_guid}/jwk

GET /api/v1/counterparty/{counterparty_guid}/jwk HTTP/1.1
Host: your_host
Accept: */*

{
  "keys": [
    {
      "created_at": "text",
      "data": {
        "ANY_ADDITIONAL_PROPERTY": "anything"
      },
      "guid": "text",
      "updated_at": "text"
    }
  ]
}

Check Bank JWT

This feature allows you to check your JWT in our authentication service with no changes to any objects and processes.

Authenticate

post

Authenticate

Path parameters

counterparty_guidstringRequired

Counterparty GUID

Header parameters

CX-AuthorizationstringRequired

Counterparty JWT

Responses

200

application/json

400

json with error msg

application/json

post

/counterparty/{counterparty_guid}/jwk/authenticate

POST /api/v1/counterparty/{counterparty_guid}/jwk/authenticate HTTP/1.1
Host: your_host
CX-Authorization: text
Accept: */*

{
  "session_token": "text"
}

JWT by DCM

Default scheme (when the JWT is created by DCM) allows you to use the role-based access to the features of the processing system.

DCM generates JWT token at step 4. The bank validates it at step 6.

Get list of registered keys for DCM JWT

You may verify our JWT in your Bank Auth Service using our public key by its kid.

Get list of registered keys for DCM JWT

get

Get list of registered keys for DCM JWT

Responses

200

application/json

400

json with error msg

application/json

get

/.well-known/jwks.json

GET /api/v1/.well-known/jwks.json HTTP/1.1
Host: your_host
Accept: */*

{
  "keys": [
    {
      "alg": "text",
      "e": "text",
      "kid": "text",
      "kty": "text",
      "n": "text",
      "use": "text"
    }
  ]
}

PreviousAuthentification NextBank authorization

Last updated 1 year ago