Scribd
Upload
256 views6 pages

Auth API Documentation

1. To access Mortech APIs, partners must get a Partner ID, API key, and private key through Mortech's provisioning process. 2. Partners generate a signed JWT using the private key containing their Partner ID and other claims. 3. Partners call Mortech's Auth API with the JWT to get a temporary access token, which is included in the header of subsequent API requests along with the API key until it expires.

Uploaded by

Marcelo Pereira Rodrigues
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
256 views6 pages

Auth API Documentation

1. To access Mortech APIs, partners must get a Partner ID, API key, and private key through Mortech's provisioning process. 2. Partners generate a signed JWT using the private key containing their Partner ID and other claims. 3. Partners call Mortech's Auth API with the JWT to get a temporary access token, which is included in the header of subsequent API requests along with the API key until it expires.

Uploaded by

Marcelo Pereira Rodrigues
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 6

JWT API Authentication

May 2018

Getting Started
In order to get access to Mortech APIs you will need to get a Partner ID, API key, and a private
key. Contact your Customer Success Manager to get setup started.
1. Mortech will generate a Partner account within our system and needs the email address of
whomever will be receiving the Partner ID, API key, and private key
2. The Partner will receive an email with a link where they can receive their Partner ID, API key,
and private key .pem file.
3. Follow the link provided in the email to download the private key file. This is needed to sign
the JWT authorization token.
a. Mortech provides a Private Key during the provisioning process. Mortech keeps the
Public Key equivalent for validating the signatures. The Private Key is generated from the
Client’s browser and is never transmitted on the internet. Therefore Mortech never has
a copy of the Private Key. It is the responsibility of the Partner to keep the Private Key
secure.

JWT Authentication Process


Mortech uses JSON Web Token (JWT) authentication for their API services. For more information
about JWT, please visit https://jwt.io/introduction/. The authentication API generates a
temporary token which can be used to access Mortech’s API services. The token will expire after
a certain period of time. After that time, a new token will need to be generated to continue to
access Mortech’s API services.
The best way to know if you need a new token is to make an API request and check the response
code. 401 means the `authorizationtoken` supplied is either invalid or expired. In this case
the client should get a new token from the authenticate API and retry their request.

Sales: 855.298.9317 | Support: 402.441.4647 2


May 2018

Mortech Auth API Endpoint Mortech API Endpoint


Partner https://api.mortech-inc.com/
https://api.mortech-inc.com/auth/
example_api_endpoint/

HTTPS Request
Headers:
authorizationtoken:Bearer
<signed JWT>
REQUESTING
x-api-key: <partner api key>
ACCESS TOKEN

JSON Response payload


{ "accesstoken": "85f90...1afb"}

HTTPS Request
Headers:
authorizationtoken: <accesstoken from auth API response>
EXAMPLE API
X-api-key: <partner api key>
REQUEST

Response Code: 200

HTTPS Request with expired token


Headers:
EXAMPLE API authorizationtoken: <accesstoken from auth API response>
REQUEST WITH X-api-key: <partner api key>
EXPIRED TOKEN
Response Code: 401

1. The Partner generates a signed JWT.


2. The Partner calls Mortech’s Auth API with the JWT as a Bearer token of the
`authorizationtoken` Header.
3. The Auth API responds with an `accesstoken`.
4. The Partner can then make multiple requests to various Mortech API endpoints using the
token for a period of time until the token expires.
5. When the `accesstoken` expires the Partner will get a 401 response code with an
“Unauthorized” message at which time they need to create a new JWT and request a
new access token.

Sales: 855.298.9317 | Support: 402.441.4647 3


May 2018

Generating a Signed JWT


Please visit https://jwt.io which provides additional information and links to several open source
libraries for using JWTs.

Header of the JWT


The header consists of two parts:
• `alg` which is the hashing algorithm being used

• `typ` which is JWT

Mortech requires these two items to be in the header. They are not optional and they are fixed
values. Do not use an `alg` or `typ` different from what is below.

Header JSON

{
"alg": "RS256",
"typ": "JWT"
}

Payload of the JWT


The payload consists of three parts:
• `partnerId` which is issued during the provisioning process. (See Getting Started)

• `customerId` which is the ID of the customer the Partner is making requests on behalf of.

• `iat` which is the ‘Issued-At Time’ timestamp at which the JWT is created. This value must
be within 5 minutes of the system time of Mortech’s APIs to be considered valid.

Payload JSON

{
"partnerId": "350",
"customerId": "30bank01",
"iat": 1495634289
}

Sales: 855.298.9317 | Support: 402.441.4647 4


May 2018

Signature of the JWT


The signature portion of the JWT is the signed combination of the encoded Header and Payload
sections. To sign the JWT, Mortech provides a Private Key during the provisioning process (See
Getting Started). Please visit https://jwt.io/introduction/ for more info on signing your JWT

Resulting JWT
The header and payload portions of the JWT are base64 encoded and the signature is encrypted.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXJ0bmVySWQiOiI0MjIiLCJjdX0b21l
cklkIjoiMzBqdXN0aW4wMSIsImlhdCI6MTQ5NTYzNDI4OX0.MTv1YoxMha8EmJHSHCIaqga6l
FAnUdXj6qZR-qZqwaQ

Example Auth Request

API Key
All requests to Mortech API’s require an API Key which is provided during the provisioning
process (See Getting Started). It should be passed in the header as `x-api-key` (See the
example below).

Authorization Token
All requests to Mortech APIs require an `authorizationtoken` Header. The
`authorizationtoken` header for the auth API will be a JWT generated and signed using the
partners private key. The value for the `authorizationtoken` header will be a bearer token
with a space between the word `Bearer` and the signed JWT.

Authorization URL

https://api.mortech-inc.com/auth

Sales: 855.298.9317 | Support: 402.441.4647 5


May 2018

Request Method: GET


Headers

authorizationtoken: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.


eyJwY XJ0bmVySW QiOiI0MjIiLCJjdXN0b21lcklkIjoiMzBqdXN0aW4wMSIsIm
lhdCI6MTQ5NTYzNDI4OX0.MTv1YoxMha8EmJHSHCIaqga6lFAnUdXj6qZR-qZqwaQ"

x-api-key: "OPLcE7uALa7...6eXaKS6ZhK4"

Result (200)

{
"accesstoken":"85f900a7dce3...af9f59a8c1afb"
}

Auth API Response Codes


Successful Meaning
response codes

200 The request was successful and the JSON response body will contain an
`accesstoken`.

Unsuccessful Meaning
response codes

400 There was an issue with the request. Usually a bad input parameter.
401 The supplied `authorizationtoken` is invalid.
403 The supplied `authorizationtoken` is expired. The Partner should
sign a new JWT and request a new token from the /auth API.
500 The service is experiencing problems. This error should be reported to
Mortech.

Sales: 855.298.9317 | Support: 402.441.4647 6

You might also like