/auth_token
Request or invalidate an Auth token
Required auth method
Newly onboarding customers are required to implement the OAuth2 method for authentication. Please disregard ECDSA references.
Migrating from ECDSA to OAuth2 implementation guide here.
Call this endpoint to request an auth token which can be used to authorize subsequent API requests. This token has an 8-hour expiry window.
You can also call this endpoint to invalidate auth tokens.
Refer to the JWT Overview doc for more information on JWT and the auth token object your /auth_token
Requesting an Auth Token Requirements
HTTP Basic Authentication username and password
Since the JWT method utilizes HTTP Basic Authentication, you'll need an Authorization: Basic username:password string.
Use your client_id for the username and client_secret for the password.
You received the client_id and client_secret when you first created your app. Look for the file you downloaded after clicking "Download Keys" during app creation
Building and encoding an HTTP Basic Authentication credentials string
You'll use this credentials string in the Authorization header of /auth_token.
Building
Construct the credentials string by concatenating the client_id, a single colon (:) character, and the client_secret.
Encoding
When the time comes to add the credentials string to the Basic auth header, you need to first encode with Base64 as a utf-8 value, then convert that value to an ASCII string.
Here's an example of how that is done in JavaScript and Python:
const basicAuthString = 'Basic ' + Buffer.from(CLIENT_ID + ':' + CLIENT_SECRET).toString('base64');
>>> base64.b64encode(b'my_app_client_id:my_app_client_secret').decode('utf-8')
'bXlfYXBwX2NsaWVudF9pZDpteV9hcHBfY2xpZW50X3NlY3JldA=='
Request
POST /0.2/auth_token HTTP/1.1
Host: sandbox.silamoney.com
Authorization: Basic bXlfYXBwX2NsaWVudF9pZDpteV9hcHBfY2xpZW50X3NlY3JldA==
Content-Type: application/json
{
"header": {
"created": 1234567890,
"app_handle": "your_app_handle",
"version": "0.2",
"reference": "<your unique id>"
}
}
***
HTTP/1.1 200 OK
{
"success": true,
"access_token": {
"token": "205-character string",
"expiration": 1736995597,
"expiration_dt": "2025-01-16T02:46:37Z"
},
"status": "SUCCESS",
"reference": "7634e65a-ece6-4b34-b6ba-82dc2ad98b10",
"sila_reference_id": "req_z0cwbs84v9z5e8cdhuhlgautwa",
"response_time_ms": "323"
}
Request Attributes
| Key | Data Type | Description |
|---|---|---|
| header | JSON object | Required. Required keys: created - Unix epoch timestamp in seconds. Must not be future-dated and must not be dated more than 5 minutes in the past.app_handle - your app handleOptional keys: reference: Can be any value for your own reference. If not provided, one will be assigned.version: Cannot be null if key is present. Valid values: 0.2, v0.2, V0.2 |
Responses
The response will contain a JWT access token, the token's expiration time in both epoch and human-friendly format, and a success boolean.
| Key | Data Type | Description |
|---|---|---|
success | Boolean | True for a successful response. |
access_token | JSON object | A container for access token data. |
access_token.token | String | A 205-character string. |
access_token.expiration | Integer | A Unix epoch timestamp in seconds. Can be up to 8 hours in the future. |
access_token.expiration_dt | String | A human-friendly representation of the expiration value, conforms to ISO 8601 for combined date and time values.Example: 2021-01-24T19:12:08.454818Z |
Invalidating an Auth Token
If you feel that your application's current and unexpired Auth token has become compromised, you may immediately invalidate it by calling this endpoint with a DELETE method.
Request
DELETE /0.2/auth_token HTTP/1.1
Host: sandbox.silamoney.com
Authorization: Basic bXlfYXBwX2NsaWVudF9pZDpteV9hcHBfY2xpZW50X3NlY3JldA==
Content-Type: application/json
{
"header": {
"created": 1234567890,
"auth_handle": "handle.silamoney.eth",
"version": "0.2",
"reference": "<your unique id>"
}
}
***
HTTP/1.1 200 OK
{
"success": true,
"reference": "your unique id",
"sila_reference_id": "sila-generated-id"
}
Request Attributes
| Key | Data Type | Description |
|---|---|---|
| header | JSON object | Required. Required keys: created - Unix epoch timestamp in seconds. Must not be future-dated and must not be dated more than 5 minutes in the past.app_handle - your app handleuser_handle - the user_handle to go through KYCOptional keys: reference: Can be any value for your own reference. If not provided, one will be assigned.version: Cannot be null if key is present. Valid values: 0.2, v0.2, V0.2 |
Responses
| Key | Data Type | Description |
|---|---|---|
success | Boolean | True for a successful response. |
Next Steps:
After obtaining your authentication token, you can use that to authenticate any following requests.
If you are an onboarding customer building out your workflow, proceed to end user registration and KYC:
How to sign requests with a JWT Auth Token
After retrieving your token from calling /auth_token, you will include the below as part of the authorization header of all your API requests.
Authorization: Bearer [GENERATED 205 char JWT TOKEN HERE]
Authentication Failure Responses
There are various conditions relating to the use of an auth token which can produce an authentication error. Some of the returned error messages are deliberately vague to avoid exposing failure reasons in order not to encourage phishing.
| Status code | Error Message | Reason |
|---|---|---|
| 401 | The auth token provided has expired. | Expired token |
| 401 | The auth token is invalid. | Token was not generated for the app specified by app_handle |
| 403 | The Authorization: Bearer string is not properly encoded; it must be a base64-encoded ASCII string. | Poorly-formed Bearer token (usually incorrect encoding) |
| 403 | Permission to auth this resource has been denied. | Use of Basic HTTP Authentication header (currently only used by /auth_token) |
| 403 | The auth token is invalid. | Passing a token for a SANDBOX app to PROD (or vice-versa) |
Updated 25 days ago