Applications and API Keys
An API Key is a token which identifies a specific licensed client application. The API Key is reserved for specific organizations, such as a financial institution's development team or IT department, or an application vendor. Each client application should use its own API key.
To request an API key, follow the following steps:
- Register as a user and log onto the Apiture developer portal
- Register the client application
- Choose an API product that the client application will use
- Identify one or more API environments where you wish your client application to call Apiture Digital Banking APIs
See also Secure Access for additional guidance on API key management and keeping your API keys secure.
Terminology
| Term | Definition |
|---|---|
| API Environment |
A developer requests API keys to allow their app to call Apiture APIs in one or more
API environments. These may be test environments, partner environments, demo
environments, or full production environments. For example, a (fictional) financial
institution 3rd Party Bank operating on the Apiture platform may have three
separate environments:
|
| API Product | API Products are collections of Apiture Digital Banking APIs that support a specific set of features. Licenses are granted for specific API products. Examples of API products may be Digital Banking or Digital Account Opening. Some products may include (embed) other products. |
| Client Application | A web application, mobile application, or service application that uses the Apiture Digital Banking APIs. Each client application is a unique entity and requires its own API key. |
| API key |
An API key is a unique private token that identifies a client application within a
specific API environment.
At present, a unique API key is required for each combination of:
If an application runs against multiple environments (such as dev, uat, and production), the client should register separate API keys for each. A client ID and client secret (also known as client credentials) are additional authentication credentials. These credentials allow non-interactive service applications to authenticate to the Apiture APIs. The client ID and client secret combination are only used to authenticate a client application within secure client environments, such as back-office automation processes behind a secure firewall. |
| Partner |
Each client application is tied to a partner, also known as a
partner organization. The partner is based on the email domain of the developers in
that organization. For example, developers with @apiture.com email addresses
are all members of the same partner organization, identified by the common
apiture.com domain. The email addresses are validated, so you can only register
as a member of a partner/domain if you can receive email at the corresponding email address.
Members of a partner organization can invite other developers with the same email domain to join the partner organization on My Company page. |
Registering a Client Application
To request API keys, begin by registering a new client applications.
- You must be logged in to register a client application.
- In addition, you must complete your profile on the My Profile page and accept the terms and conditions outlined there.
- If your partner organization data is not complete, enter your partner information in the My Company page.
(My Profile and My Company are also available from the account menu under your user ID at the top right of the page.)
To register a new application, open the My APIs page and click the Create a new Application button. Fill in the information on the form:
The form fields are described below:
| Field | Details |
|---|---|
| Application Type | Select the type of application: a desktop app, a web application, a mobile application, or a secure back-office service application. The first three require user authentication; the final may use client credentials authentication. |
| Authentication | Select the type of authentication the application will use. Authentication and security constraints for applications vary by application type. For example, web and mobile applications are harder to keep secure because they often operate in insecure public networks. Web and mobile applications require Authorization Code Flow which uses an OAuth2 call back URL to complete authentication and authorization flows and return an access token for that user. Trusted service applications use a unique Client ID and Client Secret for the Client Credentials Grant OAuth2 flow to obtain a service token |
| Application Name | This is your name for your application, so you can return to and access the application on the dev portal. You should use a unique name for each application within your company/organization name. |
| Description and Purpose | A description of your application and its intended use. This is for your information, to help you manage multiple client applications. |
| Site URL / Download Location | The URL of the application, or a web page which describes the application or allows others to download the application. This is for information purposes. |
| Redirect URL | The redirect URL used in Authorization Code Flow. When a user authenticates with the application's authorization server, the authorization server will redirect to this URL to complete the authentication process. This prevents other applications from using the application's client ID and secret. |
| Products | Each client application must select one or more API product, which determines which APIs the client is licensed to invoke. In the future, API rate limits will also be available. |
| Environments | Choose one or more runtime API environments where the client application will run. When approved, the developer portal will provision a unique API key for each environment. |
Click the Submit button. The portal will queue a request to provision the API keys for that application. When that process is complete, you will receive an email.
Return to the My APIs page to view the API keys and Client ID/secret for the application. Only the application owner may view the API keys and Client ID/secrets. However, an application owner may add other members of the company as co-owners and grant them access to view and manage the API keys. This should be done with caution.
Managing Your Applications
The application owner can return to My APIs at any time to manage their applications. When you select the expand icon for the application in the My Applications list, the table expands to show all environments and the status of each API key.
The application owner(s) can also perform the following actions on the applications:
| Action | Details |
|---|---|
| Show Details | View the API keys and credentials for each environment. You can independently revoke API keys for each environment |
| Edit the application | This operation lets you change the application description, product, application URL, products, and environments. New keys will be provisioned for any new environments. Use this with caution, as keys associated with removed environments are deleted, not disabled, and they are not enabled again if you edit the application later add those environments back. |
| Invite Owners | You may invite other developers to the Apiture developer portal. Other users can see the company's applications, but not edit or view the API keys for applications owned by others in the company. They can create and edit their own applications. Note: Members must share the same email domain. |
| Deactivate |
You can temporarily deactivate an application. This deactivates the application's
corresponding API keys and client credentials from all environments. This is useful if you
suspect misuse or suspicious activity with your API keys.
Warning: After disabling the application, any deployed application instances will no longer work. All API calls using these keys or client credentials will fail until you restore the keys. |
| Restore | You can restore an application you have temporarily deactivated. This restores the application's corresponding API keys and client credentials in all its environments. |
| Delete |
Delete the application. This removes the application's API key from all environments and
deletes the application from the My Applications list. Any deployed instances of the
software applications using these keys or client credentials will no longer work: all API
calls using these keys will fail. Use this only when you and your application users are no
longer using the application.
Warning: This operation cannot be undone. |
Using API Keys
See also Secure Access for additional guidance on how to pass your client application's API keys to the Apiture Digital Banking APIs.