How to authenticate with Akahu's API
User-scoped endpoints
Most API endpoints available to your app are user-scoped. This means that they allow you to access data or perform actions in relation to a specific user who has authorised your application using the OAuth Authorization Flow.
Requests to user-scoped endpoints are authenticated using a User Access Token that your app has acquired by completing an OAuth token exchange. Additionally, your App ID Token must be provided using the X-Akahu-Id header:
Authorization: Bearer {{ User Access Token }}
X-Akahu-Id: {{ App ID Token }}
For more information about getting these, see Getting Started
Note: The OAuth Authorization Flow is not available to Personal Apps. Personal App developers can find their User Access Token by visiting https://my.akahu.nz/developers.
App-scoped endpoints
Some API endpoints provide general-purpose (i.e. not user specific) functionality to your app. For example, you can query the list of Akahu's transaction categories using the GET /categories endpoint.
Requests to app-scoped endpoints are authenticated using your client credentials (App ID Token and App Secret). Provide these credentials in the Authorization header using the HTTP Basic Authentication scheme. Use your App ID Token as the username and your App Secret as the password.
All endpoints requiring app-specific auth are explicitly labelled in the API reference.
// Join the App ID Token and App Secret with a ":" then base64 encode the result
const credentials = base64(`${APP_TOKEN}:${APP_SECRET}`);
// Set the Authorization header for your requests using the base64 encoded credentials
const headers = { Authorization: `Basic ${credentials}` };
Note: App-scoped endpoints are not available to Personal Apps.