Skip to main content

Overview

OAuth 2.0 allows your application to obtain authorization so that users can interact with their accounts through your application without providing their credentials directly to your backend. This API implements OAuth 2.0 Authorization Code Flow with PKCE (Proof Key for Code Exchange), providing enhanced security for both web and mobile applications.
Why OAuth 2.0? OAuth enables users to grant your application permission to act on their behalf without sharing their password. This authorization model ensures users maintain control over their data and can revoke access at any time. PKCE adds an extra layer of security to prevent authorization code interception attacks.
User Consent is Required: Just because your application receives authorization tokens does not mean you should access user data or modify their information without explicit user consent. OAuth provides the mechanism for user-initiated interactions—always respect the principle of least privilege and only access what users have explicitly authorized. See the Consent Management Guide for compliance requirements and implementation details.

What You’ll Need

Before starting, ensure you have:

API Keys

Your x-client-key (public) and x-secret-key (private) from your technical account manager

Redirect URI

A whitelisted callback URL where users return after authentication. Must use HTTPS for production; HTTP only for development. Custom schemes require TAM approval.

HTTPS Endpoint

A secure endpoint to receive the authorization code (production only)
Users must understand and explicitly consent to what your application will do with their authorization:

Data Access

  • Wallet balance and transaction history
  • Account information and preferences
  • Card details and spending activity

Actions Permitted

  • Initiate transactions
  • Manage cards and wallets
  • Update account settings
Example consent language:
“By connecting your account, you authorize [Your App Name] to view your wallet balance, transaction history, and initiate transactions on your behalf. You can revoke access at any time from your account settings.”
Best practices:
  • Obtain consent during first login or feature access
  • Use clear, non-technical language
  • Provide a way for users to review and revoke permissions
  • Only request access to data your application actually needs
Regulatory Compliance: The Baanx API includes a comprehensive Consent Management system to help you meet GDPR, CCPA, and E-Sign Act requirements. During user registration and authorization flows, you’ll need to collect and track user consent for marketing communications, data access, and terms of service. The system maintains an immutable audit trail for all consent changes.
Security First: Never expose your x-secret-key in client-side code, mobile apps, or public repositories. Keep it server-side only.

Choose Your Implementation

We support two OAuth flow implementations depending on your use case:

API Mode Flow

For custom authentication experiences
  • Full control over the login UI
  • Handle user credentials directly
  • Custom branding and flow
  • More integration steps (5 steps)
  • Requires additional security measures
Best for: Mobile apps, custom branded experiences, headless systems

Hosted UI Flow

Recommended for most applications
  • Users authenticate on our secure hosted login page
  • No need to handle credentials in your app
  • Built-in security and compliance
  • Faster implementation (4 steps)
  • Perfect for web applications
Best for: Web apps, SaaS integrations, third-party services

Token Types Explained

The API uses three different token types for different purposes:
Token TypePurposeLifetimeUsage
JWT TokenOAuth flow session10 minutesOnly used during OAuth flow initialization
Access TokenAPI authentication6 hoursInclude in Authorization: Bearer header for all API calls
Refresh TokenToken renewal7 daysExchange for new access tokens when they expire
Important: The JWT token from OAuth initiation is NOT the same as your access token. Use access tokens for API requests.

Quick Comparison

FeatureHosted UIAPI Mode
Implementation Steps45
Login PageHosted by usCustom (your app)
Security ComplexityLowerHigher
Setup Time~30 minutes~2 hours
User ExperienceStandardFully custom
Credential HandlingWe handle itYou handle it
Baanx ConfigurationRequired (Hosted UI setup)Standard setup only
Best ForWeb appsMobile apps

Flow Overview

API Mode Flow (5 Steps)

Hosted UI Flow (4 Steps)

Security Features

PKCE Required

Code challenge/verifier prevents authorization code interception

State Parameter

Random state string protects against CSRF attacks

Redirect URI Validation

Only whitelisted URIs accepted to prevent redirect attacks. Learn about HTTPS requirements, custom schemes, and CORS.

Short-lived Sessions

10-minute session expiry limits exposure window

Next Steps

1

Choose Your Flow

Decide between Hosted UI (recommended) or API Mode based on your needs
2

Implement Authorization

Follow the step-by-step guide for your chosen flow
3

Manage Tokens

Learn about token lifecycle and refresh
4

Review Security

Read security best practices before going to production

Common Use Cases

Allow external applications to access your users’ data with their permission. Use Hosted UI for simplicity and built-in security.
Build a native mobile app with custom branding. Use API Mode to control the entire user experience while maintaining security.
Enable users to log in across multiple applications with one set of credentials. Hosted UI works best for standard SSO implementations.
Allow your backend services to communicate securely on behalf of users. Use API Mode for service-to-service authentication.

Hosted UI Guide

Complete implementation guide

API Mode Guide

Custom flow implementation

Token Management

Token lifecycle & refresh

Security Guide

Best practices & pitfalls

API Reference

Detailed endpoint docs

Troubleshooting

Common issues & solutions

Need Help?

Get Support

Having trouble with OAuth implementation? Check our troubleshooting guide or contact our support team.