Skip to content
Developerhome

Securing connector API

  Less than to read

This guide covers the security functionality you should put in place in your solution to protect your connector API endpoints.


Auth endpoint

Before recieving a request to /auth, the Banking Service will POST to your notification endpoint with resource type ‘authorisation’ to advise you that the authorisation flow has started. This request will also contain an AuthorisationID which you can use to secure any requests into /auth.

You can do this by comparing the AuthorisationID recieved through the notification body to the AuthorisationID recieved within the query parameters to /auth. If the authorisation identifier values do not match, the request is not secure and should not be processed.

The lifetime of this authorisation session is around 20 minutes and can only be used 1 time.

This AuthorisationID would then be used when sending your PATCH request to the authorisations endpoint through the Provider API.


Auth refresh endpoint

Before recieving a request to /authrefresh, the Banking Service will POST to your notification endpoint with resource type ‘authorisation’ to advise you that the re-authorisation flow has started. This request will also contain an AuthorisationID which you can use to secure any requests into /authrefresh.

You can do this by comparing the AuthorisationID recieved through the notification body to the AuthorisationID recieved within the query parameters to /authrefresh. If the authorisation identifier values do not match, the request is not secure and should not be processed.

The lifetime of this authorisation session is around 20 minutes and can only be used one time.

This AuthorisationID would then be used when sending your PATCH request to the authorisations endpoint through the Provider API.


Notification endpoint

With the /notification endpoint we can add a custom headerName and headerValue to the request specified by you.

In this request you will also be passed a Sage ID token under the authorisation header which can be validated using the following details:

Sandbox

  • Endpoint: https://id-shadow.sage.com/oauth/token
  • Issuer: https://id-shadow.sage.com/
  • Audience: sfdsbanking/sfdsBankingProvider-Pre
  • Key set: https://id-shadow.sage.com/.well-known/jwks.json
  • Scope: WebhooksLambda

Production

  • Endpoint: https://id.sage.com/oauth/token
  • Issuer: https://id.sage.com/
  • Audience: sfdsbanking/sfdsBankingProvider
  • Key set: https://id.sage.com/.well-known/jwks.json
  • Scope: WebhooksLambda

The following is an example of the request headers which would be sent along with this request:

  headers: {
    accept: 'application/json',
    Authorization: 'Bearer **Sage ID Token**',
    'content-type': 'application/json; charset=utf-8',
    YourKeyHeader: 'YourKeyValue'
  }

Available accounts endpoint

In this request you will also be passed a Sage ID token under the authorisation header which can be validated using the following details:

Sandbox

  • Endpoint: https://id-shadow.sage.com/oauth/token
  • Issuer: https://id-shadow.sage.com/
  • Audience: sfdsbanking/sfdsBankingProvider-Pre
  • Web Key set: https://id-shadow.sage.com/.well-known/jwks.json
  • Scope: ProviderAPI

Production

  • Endpoint: https://id.sage.com/oauth/token
  • Issuer: https://id.sage.com/
  • Audience: sfdsbanking/sfdsBankingProvider
  • Web Key set: https://id.sage.com/.well-known/jwks.json
  • Scope: ProviderAPI

The following is an example of the request headers which would be sent along with this request:

  headers: {
    accept: 'application/json',
    Authorization: 'Bearer **Sage ID Token**',
    'content-type': 'application/json; charset=utf-8',
  }

Grant access to IP addresses

Our sandbox and production site sits behind Cloudflare. For the list of Cloudflare IP addresses to grant access for the connector API, go to Cloudflare.


Was this helpful?