Authentication exclusively uses Oauth2 to authenticate and authorize requests. You will need to have an OAuth client ID and a client secret before you can make authenticated OAuth requests. These credentials can be created and managed on our web dashboard. Once you have your credentials, you will use them to get an access token from our authentication server using the request below:

curl -X POST \ \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=client_credentials&scope=platform'

Note that the ‘platform’ scope is the broadest. If you simply need to access lending APIs only, then the ‘platform.lending’ scope is sufficient.

If your request is successful , you will receive a 200 response status code and the response body will be a JSON document with the structure shown below.

JSON representation
JSON representation
"access_token": string,
"token_type": string,
"expires_at": number,
"scope": string



Data Type




OAuth access token.


string ('Bearer')

The token type. Only bearer tokens are supported.



Token expiry date as a Unix timestamp. A normal token is valid for 24 hours.



Comma delimited OAuth access scopes.

You can now make requests to any API using the access token. Remember to temporarily store the token somewhere secure, for instance in your database, cache or even as a global variable, to prevent needing to create a new token for each request.

When the token expires, you will receive a 401 error code from the API. You should have your application perform the above process again. Alternatively, you can preempt that by checking the expires_at field, returned in the token response, before each API request.

The token should be sent as a Bearer token in the HTTP authentication header. You can find an example of such a request here.