Authentication

Base URL

All API requests should be made to your API base URL. For local development, this is typically http://localhost:8000.

https://api.example.com  (Production)
http://localhost:8000    (Local Development)

Overview

The Bank Statement Matcher API uses OAuth 2.0 for authentication. Here's how it works:

1. Create an API Client in your dashboard
2. Exchange your Client ID and Client Secret for an Access Token
3. Include the token in the Authorization header of your requests

Creating an API Client

1. Log in to your dashboard
2. Go to Settings → API Clients
3. Click Create New Client
4. Save your Client ID and Client Secret somewhere safe (you won't see the secret again!)

Getting an Access Token

Exchange your credentials for an access token:

{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "env": "sandbox"
}

{
  "access_token": "eyJhbGc...",
  "token_type": "Bearer",
  "expires_in": 3600
}

curl -X POST "http://localhost:8000/api/v1/token" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "env": "sandbox"
  }'

Using Your Token

Include the access token in the Authorization header of every request:

curl -X GET "http://localhost:8000/api/v1/jobs" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Token Expiration

Access tokens expire after 1 hour. When a token expires, you'll receive a TOKEN_EXPIRED error. Simply fetch a new token by repeating the process above.

Best Practices

• ✅ Store credentials securely - Never commit API secrets to version control
• ✅ Use sandbox environment for testing - Switch to production when live
• ✅ Rotate secrets regularly - Generate new credentials every 90 days
• ✅ Monitor token usage - Check your API dashboard for unusual activity

Common Errors