Authentication API

Overview

The Buburuza Authentication API provides secure access to all platform services using JWT tokens, OAuth 2.0, and optional biometric authentication. Built with bank-grade security standards and designed for both B2B integrations and consumer applications.

Authentication Methods

1. API Key Authentication (Server-to-Server)

For backend services and server-to-server communication.

curl -X GET https://api.buburuza.com/v1/customers \
  -H "Authorization: Bearer bb_live_1234567890abcdef" \
  -H "Content-Type: application/json"

2. OAuth 2.0 (User Authentication)

For applications that need to act on behalf of users.

// Redirect users to Buburuza OAuth
const authUrl = buburuza.auth.getAuthorizationUrl({
  clientId: 'your_client_id',
  redirectUri: 'https://yourapp.com/callback',
  scope: ['accounts:read', 'transactions:write'],
  state: 'random_state_string'
});

window.location.href = authUrl;

3. Biometric Authentication (Mobile)

For enhanced security on mobile applications.

// Request biometric authentication
const biometricAuth = await buburuza.auth.requestBiometric({
  userId: 'user_123',
  method: 'fingerprint', // 'fingerprint', 'face', 'voice'
  challenge: 'auth_challenge_456'
});

API Endpoints

Generate Access Token

Exchange credentials for a JWT access token.

POST /v1/auth/token

const tokenResponse = await fetch('https://api.buburuza.com/v1/auth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    grant_type: 'client_credentials',
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
    scope: 'accounts transactions'
  })
});

const { access_token, token_type, expires_in } = await tokenResponse.json();

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "accounts transactions",
  "refresh_token": "rt_1234567890abcdef"
}

Refresh Access Token

Obtain a new access token using a refresh token.

POST /v1/auth/refresh

const refreshResponse = await buburuza.auth.refreshToken({
  refreshToken: 'rt_1234567890abcdef'
});

console.log('New access token:', refreshResponse.accessToken);

Request:

{
  "grant_type": "refresh_token",
  "refresh_token": "rt_1234567890abcdef"
}

Response:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "rt_0987654321fedcba"
}

Validate Token

Verify the validity and scope of an access token.

GET /v1/auth/validate

const validation = await buburuza.auth.validateToken({
  token: access_token
});

console.log('Token valid:', validation.valid);
console.log('Scopes:', validation.scopes);

Response:

{
  "valid": true,
  "expires_at": "2025-11-07T16:30:00Z",
  "scopes": ["accounts:read", "transactions:write"],
  "client_id": "your_client_id",
  "user_id": "user_123"
}

Revoke Token

Revoke an access or refresh token.

POST /v1/auth/revoke

await buburuza.auth.revokeToken({
  token: access_token,
  token_type: 'access_token'
});

OAuth 2.0 Flows

Authorization Code Flow

For web applications with secure backend.

Step 1: Authorization Request

const authUrl = `https://auth.buburuza.com/oauth/authorize?` +
  `response_type=code&` +
  `client_id=${clientId}&` +
  `redirect_uri=${encodeURIComponent(redirectUri)}&` +
  `scope=accounts transactions&` +
  `state=${state}`;

// Redirect user to authUrl

Step 2: Exchange Code for Token

const tokenResponse = await fetch('https://api.buburuza.com/v1/auth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded',
  },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
    code: 'authorization_code_from_callback',
    redirect_uri: 'https://yourapp.com/callback'
  })
});

Client Credentials Flow

For machine-to-machine authentication.

const clientAuth = await buburuza.auth.clientCredentials({
  clientId: 'your_client_id',
  clientSecret: 'your_client_secret',
  scope: ['accounts:read', 'transactions:write']
});

// Use the returned access token for API calls

PKCE Flow (Mobile Apps)

For mobile applications without secure storage.

import { generateCodeChallenge, generateCodeVerifier } from '@buburuza/sdk';

// Step 1: Generate PKCE parameters
const codeVerifier = generateCodeVerifier();
const codeChallenge = await generateCodeChallenge(codeVerifier);

// Step 2: Authorization request with PKCE
const authUrl = `https://auth.buburuza.com/oauth/authorize?` +
  `response_type=code&` +
  `client_id=${clientId}&` +
  `redirect_uri=${redirectUri}&` +
  `code_challenge=${codeChallenge}&` +
  `code_challenge_method=S256&` +
  `scope=accounts transactions`;

// Step 3: Exchange code with verifier
const tokenResponse = await buburuza.auth.exchangeCodeForToken({
  code: authorizationCode,
  codeVerifier: codeVerifier,
  clientId: 'your_client_id'
});

Biometric Authentication

Setup Biometric Authentication

POST /v1/auth/biometric/register

const biometricRegistration = await buburuza.auth.biometric.register({
  userId: 'user_123',
  biometricType: 'fingerprint',
  deviceId: 'device_456',
  publicKey: biometricPublicKey, // Generated by device
  metadata: {
    deviceModel: 'iPhone 14 Pro',
    osVersion: 'iOS 16.1'
  }
});

Authenticate with Biometrics

Verify user identity using biometric data.

POST /v1/auth/biometric/verify

const biometricAuth = await buburuza.auth.biometric.verify({
  userId: 'user_123',
  challenge: 'auth_challenge_789',
  signature: biometricSignature, // Signed challenge
  biometricType: 'fingerprint'
});

if (biometricAuth.verified) {
  console.log('Biometric authentication successful');
  // Access token provided in response
}

Scopes and Permissions

Available Scopes

Scope

Description

Access Level

accounts:read

Read account information and balances

Read-only

accounts:write

Create and modify accounts

Read/Write

transactions:read

View transaction history

Read-only

transactions:write

Create transactions and transfers

Read/Write

cards:read

View card information

Read-only

cards:write

Issue and manage cards

Read/Write

investments:read

View portfolio and positions

Read-only

investments:write

Execute trades and manage portfolio

Read/Write

kyc:read

View KYC status and documents

Read-only

kyc:write

Initiate and manage KYC processes

Read/Write

ai:read

Access AI insights and analytics

Read-only

ai:write

Submit requests to AI services

Read/Write

Scope Examples

// Request minimal scopes for read-only access
const readOnlyToken = await buburuza.auth.clientCredentials({
  clientId: 'your_client_id',
  clientSecret: 'your_client_secret',
  scope: ['accounts:read', 'transactions:read']
});

// Request comprehensive scopes for full functionality
const fullAccessToken = await buburuza.auth.clientCredentials({
  clientId: 'your_client_id',
  clientSecret: 'your_client_secret',
  scope: [
    'accounts:write',
    'transactions:write',
    'cards:write',
    'investments:write'
  ]
});

Security Best Practices

Token Storage

// ✅ Secure token storage
localStorage.setItem('buburuza_access_token', access_token);
localStorage.setItem('buburuza_refresh_token', refresh_token);

// ✅ Even better: Use secure HTTP-only cookies
// Set tokens in secure cookies on your backend
res.cookie('access_token', access_token, {
  httpOnly: true,
  secure: true,
  sameSite: 'strict',
  maxAge: 3600000 // 1 hour
});

Token Refresh Strategy

class BuburuざAuthManager {
  constructor(apiKey, refreshToken) {
    this.apiKey = apiKey;
    this.refreshToken = refreshToken;
    this.accessToken = null;
    this.tokenExpiry = null;
  }

  async getValidToken() {
    // Check if current token is still valid
    if (this.accessToken && this.tokenExpiry > Date.now()) {
      return this.accessToken;
    }

    // Refresh token if expired
    const tokenResponse = await this.refreshAccessToken();
    this.accessToken = tokenResponse.access_token;
    this.tokenExpiry = Date.now() + (tokenResponse.expires_in * 1000);
    
    return this.accessToken;
  }

  async makeAuthenticatedRequest(endpoint, options = {}) {
    const token = await this.getValidToken();
    
    return fetch(`https://api.buburuza.com${endpoint}`, {
      ...options,
      headers: {
        'Authorization': `Bearer ${token}`,
        'Content-Type': 'application/json',
        ...options.headers
      }
    });
  }
}

Error Handling

async function makeSecureApiCall(endpoint, data) {
  try {
    const response = await buburuza.api.request(endpoint, data);
    return response;
  } catch (error) {
    switch (error.code) {
      case 'invalid_token':
        // Token is invalid or expired
        await refreshAccessToken();
        return makeSecureApiCall(endpoint, data); // Retry
        
      case 'insufficient_scope':
        // Token doesn't have required permissions
        throw new Error('Application needs additional permissions');
        
      case 'rate_limit_exceeded':
        // Too many requests
        await new Promise(resolve => setTimeout(resolve, 1000));
        return makeSecureApiCall(endpoint, data); // Retry after delay
        
      default:
        throw error;
    }
  }
}

Multi-Factor Authentication (MFA)

Enable MFA for User

POST /v1/auth/mfa/enable

const mfaSetup = await buburuza.auth.mfa.enable({
  userId: 'user_123',
  method: 'totp', // 'totp', 'sms', 'email'
  phoneNumber: '+1-555-0123' // Required for SMS
});

console.log('MFA Secret:', mfaSetup.secret);
console.log('QR Code URL:', mfaSetup.qrCodeUrl);

Verify MFA Code

POST /v1/auth/mfa/verify

const mfaVerification = await buburuza.auth.mfa.verify({
  userId: 'user_123',
  code: '123456',
  method: 'totp'
});

if (mfaVerification.verified) {
  // Grant access to sensitive operations
  console.log('MFA verification successful');
}

Webhook Authentication

Verify webhook requests are from Buburuza.

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
    
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expectedSignature, 'hex')
  );
}

// Express.js webhook handler
app.post('/webhooks/buburuza', (req, res) => {
  const signature = req.headers['x-buburuza-signature'];
  const payload = JSON.stringify(req.body);
  
  if (!verifyWebhookSignature(payload, signature, webhookSecret)) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook event
  const event = req.body;
  console.log('Verified webhook event:', event.type);
  
  res.status(200).send('OK');
});

Rate Limiting

The Authentication API implements rate limiting to prevent abuse:

Token requests: 10 per minute per IP
Token validation: 100 per minute per token
Biometric authentication: 5 per minute per user

// Handle rate limiting gracefully
async function authenticateWithRetry(credentials, maxRetries = 3) {
  for (let attempt = 1; attempt <= maxRetries; attempt++) {
    try {
      return await buburuza.auth.authenticate(credentials);
    } catch (error) {
      if (error.code === 'rate_limit_exceeded' && attempt < maxRetries) {
        const delay = Math.pow(2, attempt) * 1000; // Exponential backoff
        await new Promise(resolve => setTimeout(resolve, delay));
        continue;
      }
      throw error;
    }
  }
}

Testing Authentication

Sandbox Environment

// Use test credentials in sandbox
const sandboxAuth = new BuburuざAPI({
  apiKey: 'bb_test_1234567890abcdef',
  environment: 'sandbox'
});

// Test authentication flow
const testToken = await sandboxAuth.auth.clientCredentials({
  clientId: 'test_client_123',
  clientSecret: 'test_secret_456',
  scope: ['accounts:read', 'transactions:write']
});

Mock Biometric Authentication

// Sandbox automatically approves biometric requests
const mockBiometric = await sandboxAuth.auth.biometric.verify({
  userId: 'test_user_123',
  challenge: 'test_challenge',
  signature: 'mock_signature',
  biometricType: 'fingerprint'
});

console.log('Mock biometric result:', mockBiometric.verified); // true

Support and Resources

Authentication Guide: Detailed implementation examples
Security Best Practices: Industry-standard security recommendations
Troubleshooting: Common authentication issues and solutions
SDKs: Pre-built authentication handling in all supported languages

For additional help, contact our developer support team at [email protected].

PreviousGetting Started NextCore Banking API

Last updated 3 months ago

hashtagAuthentication API

hashtagOverview

hashtagAuthentication Methods

hashtag1. API Key Authentication (Server-to-Server)

hashtag2. OAuth 2.0 (User Authentication)

hashtag3. Biometric Authentication (Mobile)

hashtagAPI Endpoints

hashtagGenerate Access Token

hashtagRefresh Access Token

hashtagValidate Token

hashtagRevoke Token

hashtagOAuth 2.0 Flows

hashtagAuthorization Code Flow

hashtagClient Credentials Flow

hashtagPKCE Flow (Mobile Apps)

hashtagBiometric Authentication

hashtagSetup Biometric Authentication

hashtagAuthenticate with Biometrics

hashtagScopes and Permissions

hashtagAvailable Scopes

hashtagScope Examples

hashtagSecurity Best Practices

hashtagToken Storage

hashtagToken Refresh Strategy

hashtagError Handling

hashtagMulti-Factor Authentication (MFA)

hashtagEnable MFA for User

hashtagVerify MFA Code

hashtagWebhook Authentication

hashtagRate Limiting

hashtagTesting Authentication

hashtagSandbox Environment

hashtagMock Biometric Authentication

hashtagSupport and Resources