Skip to main content
  1. Data-recipients/

Access credentials 🔐

2 mins
Prior to authenticating your application you will need to register for a Wych account. Register

Prepare your access credentials #

To call the Wych API you need to send two headers, these headers are used to manage your access. These are sent on each call.

  • x-api-key
  • authorisation

API key #

Like with your client id and secret your x-api-key is retrieved from the app configuration dashboard. The API key is used for throttling and volume tracking. Like your Auth credentials this should be protected. One it’s own it does not permit access to data only to the API itself.

  • x-api-key

Authorisation Bearer Token #

When working with Wych APIs your application will need to complete the authentication process first before you can access any of the available resources. The process requires you to exchange your API key for a token. Once you obtain the token, you can call any of the available API services by simply including the token in the Authorization header of each request. Note: Your token will expire after 60 minutes, so ensure you are caching the token and only generating a new one when necessary. Excessive use of the /token endpoint may result in unsuccessful requests. This token is retrieved by calling the /token endpoint and exchanging your client id and client secret for your bearer token. This

Client credentials give access to your customer data. Protect them.
  • authorisation: bearer <TOKEN>

Retrieve your authorisation token #

Get the Wych openid configuration endpoint. From here you can find our token_endpoint

GET /openid-configuration

curl --location ''

  "issuer": "",
  "authorization_endpoint": "",
  "token_endpoint": "",
  "introspection_endpoint": "",
  "userinfo_endpoint": "",
  "end_session_endpoint": "",
  "jwks_uri": "",
  "grant_types_supported": [
    "authorization_code refresh_token client_credentials"

Using the token_endpoint value from the openid-configurationas the target url. Set the client_id and client_secret to retrieve your service token. This token has limited READ:WRITE permissions. This cannot be used to access your customers details but can be used to manage your account and to manage your registered customers.

POST /token

curl --location '{{token_endpoint}}' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=client_123456789' \
  --data-urlencode 'client_secret=supxxxxxxxxret' \
  --data-urlencode 'grant_type=client_credentials'

  "access_token": "eyJhbGc...7Zkg",
  "expires_in": 900,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,

Now that you can connect to the API it is time to have a user connect to their bank and consent so that you can retrieve user data.