#  API Authentication 
source: https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/tutorials/api-authentication-tutorial/index.md

This guide walks through the steps required to authenticate towards our API and enable your users to login.

### Step 1 - Partner authentication {#step-1---partner-authentication}

1. All endpoints require partner authentication through headers that contain your Client ID and Client Secret:

    X-Client-ID: <CLIENT_ID>
    X-Client-Secret: <CLIENT_SECRET>

2. Once an end-user is authenticated, requests to session endpoints require an Access Token to be sent as a part of the Authorization header:

    Authorization: Bearer <ACCESS_TOKEN>

### Step 2 - Getting an Access Token​ {#step-2---getting-an-access-token}

1. Initiate your [Supervised logins](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md).


API Reference: `POST /v1/authentication/initialize`

```shell
curl -X POST \
  https://api.nordicapigateway.com/v1/authentication/initialize \
  -H 'X-Client-Id: <CLIENT_ID>' \
  -H 'X-Client-Secret: <CLIENT_SECRET>' \
  -H 'Content-Type: application/json' \
  -d '{
        "userHash": "test-user-id",
        "redirectUrl": "https://httpbin.org/anything"
      }'
```

2. A `redirectUrl` and a `userHash` must be provided. The PSU will be redirected to the `redirectUrl`after completing the login flow. The `userHash` is used to identify the PSU when making future requests.

Note: The provided `userHash` must match the regular expression `^[a-zA-Z0-9-]{8,64}$`. It must consist of uppercase and lowercase characters from (`a` to `z` and/or `A` to `Z`) and numbers from `0` to `9` and dashes `-`. Also, it must be between 8 and 64 characters in length. To read more about how to get the user hash, see [Authentication - Identifying users](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/identifying-users/index.md).

#### Result {#result}

If the request is successful, the following response displays:

```json
{
  "authUrl": "https://api.nordicapigateway.com/v1/authentication/start?startToken=mgAAAAVDaXBoZXJ0ZXh0AGAAAAAAJVb2479bpXmLEke3qBXbA8dj8Q9bfGoJTp0gladstCZaPiuTua9Q7ECuEQZavQmSXBMuO03qQItNLCVpcMimziAXj11waCGCa9AE66szZcTIAPDd2I78OXnDycjd9Fb1BUl2ABAAAAAAvBk7JRFhz3x7Ca6XFmxjahBLZXlJZAAAAAAAAA%3D%3D"
}
```

The response contains an `authUrl` that points to a webpage which starts a [Supervised login flow](https://developer.mastercard.com/open-finance-europe/documentation/licensed/aiia-enterprise/connect/supervised/index.md).

Redirect the user to the `authUrl` for them to complete the login flow as in the next step.

### Step 3 - User Connect Account​ {#step-3---user-connect-account}

The user onboards Account through the UI and authorized to access the beneficiary account, navigates to URL and completes:

* Choose Bank
* Log Into Bank
* Choose Account
* Accept consent to pass data to Client's app

![](https://static.developer.mastercard.com/content/open-finance-europe/uploads/UserOnboardsaccount.PNG)

### Step 4 - User redirected and code received {#step-4---user-redirected-and-code-received}

Once end users have completed the connection flow, they will be redirected back to your specified `redirect_uri`. This redirect will have a query parameter called `code` sent with it, which you need to gain an access token.

User is redirected back to provided `redirect_uri` With a `code` and a `ConsentID`

Along with the `code`, you get a `consentId`. This id is your representation of a user and is valid as long the user has given his or her consent for you to fetch data. A good idea is to store this id along with your tokens. We use this id when we send you webhooks.
Note: `code` is not URL safe, meaning that it will be URL encoded. code will need to be URL decoded before the next step. Some web frameworks may do this automatically.

### Step 5 - Client Exchanges code for tokens {#step-5---client-exchanges-code-for-tokens}

The `code` retrieved from the previous step will be exchanged for an `accessToken` for use to retrieve accounts and transactions.

API Reference: `POST /v1/authentication/tokens`

#### Request {#request}

* Use the `CODE` retrieved from the previous step to get the access token.

```shell
curl -X POST \
  https://api-sandbox.aiia.eu/v1/authentication/tokens \
  -u <CLIENT_ID>:<CLIENT_SECRET>
  -H 'Content-Type: application/json' \
  -d '{
        "code": "<CODE>"
      }'
```

Note: The `code` can only be used once and expires after one minute.

#### Response {#response}

If the request is successful, the response will look like:

```json
{
  "session": {
    "accessToken": "<access-token>",
    "scopes": [
      "Accounts",
      "UnattendedLogin"
    ]
  },
  "login": {
    "providerId": "DemoBank",
    "expires": "2023-03-08T14:00:00.000+00:00",
    "loginToken": "<login-token>",
    "supportsUnattended": true,
    "label": "DemoBank, user 12345, created 9/6/2022 2:00:00 PM",
    "subjectId": "<subject-id>",
    "aisScaExpires": "2022-12-05T14:00:00.000+00:00"
  },
  "providerId": "DemoBank",
  "state": "<state>"
}
```

* Record the `access_token` for next tutorials.
