The current API version is "1".
The API supports 2 API versioning strategies.
The value of the header key or the query string parameter key to use is apiVersion
.
API requests must be performed using a secure transport layer over Https with a minimum TLS version of 1.2.
All API activity will be sanitized, recorded and retained as per Ingo's data retention strategy.
The API's are designed for machine to machine communication and are restricted by adding our partners IP addresses to an "Allowed List" of IP addresses.
A single IP, multiple IP's or range of IP's can be added to the list.
The Client Id and Client Secret will be provisioned by Ingo Client Services and provided via a PGP encrypted file format.
We will need a Public Key from a client to encrypt the credentials.
API's are secured using an OAuth2 Client Credentials Grant Flow
The Access Token can be retrieved from the following authorization urls
Refer to the following Client Credentials Flow link for further details and examples on how to send in a valid authorization request.
Authentication using a shared secret
Example:
POST https://auth-uat.ingo.money/connect/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Q2xpZW50SWQ6UEBzc3cwckQjRXhAYW1wbGUh
scope=https://apis.ingo.money/auth/insights/identity-score
POST https://auth-uat.ingo.money/connect/token
Content-Type: application/x-www-form-urlencoded
scope=https://apis.ingo.money/auth/insights/identity-score&grant_type=client_credentials&client_id=The_Best_Client_Ever&client_secret=Super_DOOPER_Secret
STATUS CODE: 200 (OK)
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkUxQjNCQkJFMzhDNDdBREJDNzk0N0FDQ0U1OTVFMjQ3MUNEMkFGQUVSUzI1NiIsInR5cCI6ImF0K2p3dCIsIng1dCI6IjRiTzd2ampFZXR2SGxIck01WlhpUnh6U3I2NCJ9.eyJuYmYiOjE2MDYzMjA1NTYsImV4cCI6MTYwNjMyNDE1NiwiaXNzIjoiaHR0cHM6Ly9hdXRoLWxvY2FsLmluZ28ubW9uZXk6NTUwMDEiLCJhdWQiOlsiSWRlbnRpdHlJbnNpZ2h0cy5BcGkiLCJodHRwczovL2F1dGgtbG9jYWwuaW5nby5tb25leTo1NTAwMS9yZXNvdXJjZXMiXSwiY2xpZW50X2lkIjoiTmV0U3BlbmQiLCJpZGVudGl0eS5zY29yaW5nIjoidHJ1ZSIsImp0aSI6IjlEODREMjUyOUQyNTY4NTMwQzI1RTY4NDA0MTdFQzAxIiwiaWF0IjoxNjA2MzIwNTU2LCJzY29wZSI6WyJodHRwczovL2FwaXMuaW5nby5tb25leS9hdXRoL2luc2lnaHRzL2lkZW50aXR5LXNjb3JlIl19.W8Sz3_A_8sJr2p_zqbhrAisr8ECwu5cVYdxVlMqYzEwI4l22_ulIVwRpKNWEmp7wlngnSV5cl9fwoj5QqOSwZoixsk4sFGk6vcZcdbmutOvum-Q7lZ1iTwfwpQv_Q2Cp__NHc9KFSD3KR8qFdAucE5UlOr5VvOb__r-mvtvL1f1HYRRG2JSkkzjXy04Nbn-UKcvYm0VoqL3vaye3-uOPyo9NI0mMcgJCJpM1jmnM6BkdZOr2zvd4-jOt2FOcZWlHCoeGf8YFm4RWCF6o3MNIxbrOqxfZ8YKztmBIxTUnWe6GPtbkU16FYIbgdp4uaJcr3YQIvgPt0FhT-tXxr8qjdQ",
"expires_in": 3600,
"token_type": "Bearer",
"scope": "https://apis.ingo.money/auth/insights/identity-score"
}
To improve performance, it is recommended that the client can reuse the access_token
for back-to-back API calls.
The expires_in
response parameter can guide the storage / cachsing mechanisms and timing of when the client's system needs to request a new access_token
Before clients can go live, Ingo money will work closely with the client integration and application engineering teams to ensure that all possible known responses are being handled appropriately.
This process will ensure our clients are well prepared for their production deployments and have the edge cases covered.
The certification process may include but are not limited to the following scenarios.
As with any external network dependency, we recommend our clients use a fault tolerant API access strategy with a retry policy. An example can be located here Resilience policies