Ask Moov Beta
Generative AI is experimental and can make mistakes.
Guides Use cases API Changelog
  1. API reference
  2. Authentication

Authentication options

With a server-side integration, you are responsible for directly handling and storing sensitive user information. With a client-side integration, you can use Moov.js and server-generated access tokens to transmit data from your user directly to Moov.

Server-side: Basic authentication

You can use your API key's public and private keys with Basic authentication.

Set the Authorization header to Basic <credentials>, where credentials is the Base64 encoding of public key and private key joined by a single colon :.

Only use this method if you are developing a server-side integration. If you are developing a client-side integration, use OAuth instead.

Client-side: OAuth with JWT

You can set up authentication with OAuth and initialize Moov.js in your application. When making requests to Moov from a browser, you can use OAuth with JSON Web Tokens (JWT).

Understand scopes

A scope is a permission that limits how a specific account can interact with another account. The rest of this guide will reference various scopes that are required for specific actions via Moov.js or any client-side integration.

Scope Description
/accounts.write Allows a new Moov account to be created, and view all connected accounts
/accounts/{accountID}/bank-accounts.write Access to view or add a linked bank account to a Moov account
/accounts/{accountID}/cards.write Access to view or add a linked cards to a Moov account
/accounts/{accountID}/payment-methods.read Access to view payment methods for the account specified

For the full list of scopes, read the scopes documentation.

Required headers for token requests

When calling POST /oauth2/token, you must include at least one of the Origin or Referer headers. If both are present, Origin takes precedence.

Origin: https://your-domain.com

The Origin value must be scheme and domain only (for example, https://your-domain.com) — no path — matching one entry in your API key’s allowed domain list in the Dashboard under Developers → API keys. Even if you have multiple domains registered, set only one — the one the current request originates from. localhost is not an accepted domain. The Referer header follows the same domain requirement but may include the full URL path.

Failure to set the header correctly will cause subsequent API calls made with the token to fail with a 401.

Create an access token

Within your server-side application, you’ll generate a single-use access token containing information needed to communicate with your Moov account securely. Once you’ve generated this token, you can send it back to your client to use with Moov.js.

For each action you take you will need a unique short lived access token. The example below generates a token that can create a new account. Moov.js requires the /accounts.write scope.

curl -X POST "https://api.moov.io/oauth2/token" \
  -u "PUBLIC_KEY:PRIVATE_KEY" \
  -H "Origin: https://your-domain.com" \
  --data '{
    "grant_type":"client_credentials",
    "client_id":"5clTR_MdVrrkgxw2",
    "client_secret":"dNC-hg7sVm22jc3g_Eogtyu0_1Mqh_4-",
    "scope":"/accounts.write",
    "refresh_token":"i1qxz68gu50zp4i8ceyxqogmq7y0yienm52351c6..."
  }'\

Note: Replace https://your-domain.com with scheme and domain only (no path) matching a domain registered in your API key's allowed domain list in the Dashboard under Developers → API keys. Even if you have multiple domains registered, set only one — the one the current request originates from. localhost is not an accepted domain. Failure to set the header correctly will cause subsequent API calls made with the token to fail with a 401.

Summary Beta