Search
K

Authentication

Learn how to authenticate calls to the Embedded Finance API

Client ID and Client Secret

During onboarding your Wayflyer rep will have provided you with a pair of credentials i.e., a client_id and a client_secret.

These should not be exposed in your front end. If they are, contact us immediately.

These can be exchanged for a Partner Token, which can then be exchanged for a Company Token. Some endpoints require a Partner Token and some require a Company Token. These are both JWTs and should be injected in to the headers of HTTP calls to these endponts as Bearer tokens e.g.,

Authorization: Bearer <Partner Token | Company Token>

Partner Tokens

Some endpoints perform an action on behalf of a partner. These require a Partner Token.

To acquire a Partner Token, the partner's backend system should make a POST request to https://api.wayflyer.com/financing/v1/partner-token/ using the provided client_id and client_secret. The Partner Token is valid for 24 hours and should be securely cached and re-used until it expires.

The request payload must be structured as follows:

{
  "partner_id": "your-client-id",
  "partner_secret": "your-client-secret"
}

The response will contain the Partner Token:

{
  "token": "Partner_Token",
  "expires_in": 86000
}

Company Tokens

Some endpoints performan actions on behalf of a company. These require a Company Token.

To acquire a Company Token, the partner's backend must make a request to https://api.wayflyer.com/financing/v1/partner/company-token/ using the Partner Token as a bearer token authentication. The Company Token is valid for 24 hours and should be cached and re-used until it expires. It should only be used to perform actions for the company on whose behalf it was minted.

The request should include an anonymous ID for the user the partner is minting the company token for. It's important that this token is both anonymous and consistent i.e., doesn't change between user sessions.

The request payload must be structured as follows:

{
  "company_id": "some-string-id",
  "user_id": "some-user-id"
}

The company_id parameter is a string that identifies a given company on your platform without revealing their public identity. You may choose how to map your companies to these IDs, but they must meet the following restrictions:

  • The ID must be provided as a string value.
  • The ID cannot exceed a length of 255 characters.
  • The ID must be unique per company.
  • The ID must not be something that could be used to reveal a company's identity without their explicit consent.

This call will return a Company Token, which must be supplied to the Wayflyer SDK:

{
  "token": "Company_Token",
  "expires_in": 86000
}