Authentication
The Issuing API uses RSA-signed JWT tokens for authentication. To authenticate requests, you need:- An Access Key (UUID) - obtained from your implementation manager
- An RSA key pair - you generate this yourself
- JWT signing - sign each request with your private key
For detailed implementation instructions, see the Request Signing guide which covers the complete authentication flow including JWT token generation and signing.
Overview
Authentication works by:- Registering your public key - Email your RSA public key to your implementation manager to receive an Access Key
- Signing requests - For each API request, create a JWT token signed with your RSA private key
- Including the token - Add the signed JWT to the
Authorizationheader as a Bearer token
Quick Example
- Your Access Key (
subclaim) - Request URI (
uriclaim) - HTTP method (
methodclaim) - Request body hash (
bodyclaim, if applicable) - Timestamps (
iat,expclaims)
Authentication Errors
If authentication fails, you’ll receive a401 Unauthorized response:
| Error Code | Description | Solution |
|---|---|---|
INVALID_SIGNATURE | JWT signature verification failed | Verify your private key and signature algorithm |
| Authentication failed | Invalid or missing access key | Check your access key is correct |
| Authentication failed | JWT token expired | Ensure token is less than 30 seconds old |
Sandbox Convenience
In the sandbox environment, you can use HTTP Basic Authentication as a convenience (no signature required):Rate Limiting
Authenticated requests are subject to rate limiting. See our Rate Limits documentation for details.Next Steps
- Request Signing Guide - Complete JWT signing implementation
- Authentication Recipes - Language-specific examples
- Sandbox Environment - Testing without signatures