Authentication options
With a server-side integration, you are responsible for directly handling and storing sensitive user information. With a client-side integration, you can use Moov.js and server-generated access tokens to transmit data from your user directly to Moov.
Server-side: Basic authentication
You can use your API key’s public and private keys with Basic authentication.
Set the Authorization header to Basic <credentials>, where credentials is the Base64 encoding of public key and private key joined by a single colon :.
Client-side: OAuth with JWT
You can set up authentication with OAuth and initialize Moov.js in your application. When making requests to Moov from a browser, you can use OAuth with JSON Web Tokens (JWT).
Understand scopes
A scope is a permission that limits how a specific account can interact with another account. The rest of this guide will reference various scopes that are required for specific actions via Moov.js or any client-side integration.
| Scope | Description |
|---|---|
/accounts.write |
Allows a new Moov account to be created, and view all connected accounts |
/accounts/{accountID}/bank-accounts.write |
Access to view or add a linked bank account to a Moov account |
/accounts/{accountID}/cards.write |
Access to view or add a linked cards to a Moov account |
/accounts/{accountID}/payment-methods.read |
Access to view payment methods for the account specified |
For the full list of scopes, read the scopes documentation.
Create an access token
Within your server-side application, you’ll generate a single-use access token containing information needed to communicate with your Moov account securely. Once you’ve generated this token, you can send it back to your client to use with Moov.js.
For each action you take you will need a unique short lived access token. The example below generates a token that can create a new account. Moov.js requires the /accounts.write scope.
|
|
|
|