GuidesChangelog

Authentication

Avenu uses signed JWTs and RSA keys to provide access to the different functionalities of Avenu's API. Developers will need to understand these concepts and implement them in their applications. Headers must contain the Customer Access Token and/or Client Access Token in order to trigger an endpoint.

Avenu's API uses POST, GET, and PUT requests to communicate and HTTP response codes to indicate status and errors. Avenu is served over HTTPS TLS v1.2+ to ensure data privacy. HTTP and HTTPS with TLS versions below 1.2 are not supported.

Avenu requires all partners to follow the OWASP MAS guidelines. For authentication purposes this means not including API keys or secrets in the application and instead retrieving them dynamically from the application's back end.

Terminologies

Client

An Avenu client is an organization that sponsors an application that leverages Avenu as a payments platform.

Customer

A customer is onboarded to the client.

Client Assertion JWT

A JWT Bearer Token is used for client authentication as part of the Customer onboarding flow. The Client Assertion JWT is used to verify access token requests are from the client. This is signed with the Client Assertion Secret.

Client Access Token

The client access token is an encoded JWT issued to a client in response to a Client Access Token request. It encapsulates the client's identity within an Avenu Customer Onboarding API invocation. It is returned back from the Avenu Authentication Service and is required to invoke Avenu's Customer Onboarding APIs. Client Access Tokens are passed as headers with the name Authorization and the prefix of Bearer.

Customer Access Token

The customer access token is an encoded JWT issued to a customer in response to a Customer Access Token request. It encapsulates the customer's identity within an Avenu API invocation. It is returned back from the Avenu Authentication Service is required to invoke Avenu's customer APIs. Customer Access Tokens need to be passed as headers with the name Authorization and the prefix of Bearer.

Updated 5 months ago