# API Authentication source: https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/api-basics/api-authentication/index.md All endpoints require partner authentication through headers that contain the Third Party Providers (TPPs) Client ID and Client Secret: X-Client-ID: X-Client-Secret: Once an end-user is authenticated, requests to session endpoints require an Access Token to be sent as a part of the Authorization header: Authorization: Bearer #### Getting an Access Token {#getting-an-access-token} ##### Step 1 {#step-1} The TPP's `Client ID` and `Client Secret` must be located. Refer to the [Quick Start Guide](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/quickstart/index.md) for details on how to locate it. ##### Step 2 {#step-2} Next, the first [Supervised logins](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md) is started. ```shell curl -X POST \ https://api.nordicapigateway.com/v1/authentication/initialize \ -H 'X-Client-Id: ' \ -H 'X-Client-Secret: ' \ -H 'Content-Type: application/json' \ -d '{ "userHash": "test-user-id", "redirectUrl": "https://httpbin.org/anything" }' ``` A `redirectUrl` and a `userHash` must be provided. The Payment Service User (PSU) will be redirected to the `redirectUrl`after completing the login flow. The `userHash` is used to identify the PSU when making future requests. Note: The provided `userHash` must match the regular expression `^[a-zA-Z0-9-]{8,64}$`. It must consist of uppercase and lowercase characters from (`a` to `z` and/or `A` to `Z`) and numbers from `0` to `9` and dashes `-`. Also, it must be between 8 and 64 characters in length. Refer to [Authentication - Identifying users](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/identifying-users/index.md) to for information on how to get the user hash. If the request is successful, the following response displays: ```json { "authUrl": "https://api.nordicapigateway.com/v1/authentication/start?startToken=mgAAAAVDaXBoZXJ0ZXh0AGAAAAAAJVb2479bpXmLEke3qBXbA8dj8Q9bfGoJTp0gladstCZaPiuTua9Q7ECuEQZavQmSXBMuO03qQItNLCVpcMimziAXj11waCGCa9AE66szZcTIAPDd2I78OXnDycjd9Fb1BUl2ABAAAAAAvBk7JRFhz3x7Ca6XFmxjahBLZXlJZAAAAAAAAA%3D%3D" } ``` The response contains an `authUrl` that points to a webpage which starts a [Supervised login flow](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md). **Are you having problems?** If an invalid `Client ID` or `Client Secret` is provided, a HTTP 401 -- Unauthorized error is returned with the following data: ```json { "error": "Unauthorized" } ``` **How to fix it** --- Check the correct `Client ID` and `Client Secret` have been provided. Go to the apps section at our [Developer Portal](https://devportal.openbanking.mastercard.com/) to verify the correct `Client ID`. If you have lost your Client Secret, you can generate a new one. #### Access Token expiry {#access-token-expiry} Account Servicing Payment Service Providers (ASPSPs) can extend validity of sessions on every request, which prolongs the lifetime of the Access Token. Authenticated endpoints, where an Access Token is sent, set the `X-Access-Token-Expires` response header to communicate the updated expiry. The format is a ISO 8601 timestamp. Example: X-Access-Token-Expires: 2019-12-04T18:16:42.7870000Z #### WebView - iOS/Android {#webview---iosandroid} If a mobile application uses WebView to connect with Mastercard Open Finance APIs, it is recommended to have `localStorage` enabled within the WebView frame.