Authentication -- OpenBusinessAPI

Authentication

Authentication is done via Bearer token. The enrollment process (how you obtain the token) is outside the scope of OBAPI -- each provider decides: login/password with JWT, pre-shared key, OAuth2, etc.

The important thing is: your OBAPI server gives a token to the client. The client sends it with every request.

Request header

All authenticated requests must include:

Authorization: Bearer {YOUR_API_KEY}

Example

curl -X GET \
  -H "Authorization: Bearer abc123def456" \
  https://provider.example.com/obapi/v1/invoices

Error responses

401 -- Invalid or missing token:

{
    "error": {
        "type": "authentication_error",
        "code": "INVALID_TOKEN",
        "message": "Invalid or expired API token"
    }
}

403 -- Insufficient permissions:

{
    "error": {
        "type": "authorization_error",
        "code": "INSUFFICIENT_PERMISSIONS",
        "message": "Your token does not have access to this resource"
    }
}