API keys are recommended for most third-party applications and can also be used for first-party applications. They do not expire and don't require refreshing.

API keys should be created by firm's owner user. If not, they are subject to the same permissions as the creating user, which may prevent the application from accessing resources. We recommend using the firm's owner as that is the only user guaranteed to have full access to all resources. Firm owners cannot lower their permissions or be locked out of the application or prevented from accessing any individual resource.

Create an ID Token

First you need to create an ID token using a username/password grant type. Do this by making a request like this:

curl --request POST 'https://api.bridgeft.com/v2/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=YOUR_EMAIL' \
--data-urlencode 'password=YOUR_PASSWORD' \
--data-urlencode 'grant_type=password'

Where YOUR_EMAIL and YOUR_PASSWORD are the login username and password for the user you want to create an API for, respectively. Remember, this should be the user designated as the owner of the firm.

You'll receive a response that looks like this:

{
    "ExpiresIn": 3600,
    "TokenType": "Bearer",
    "IdToken": "eyJraWQiOiIwMnFuVWJhQ0JXS1hveTFRRWQ1OE9kM0...",
    "RefreshToken": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NN..."
}

The ID token can be used as a bearer token and expires in one hour. You can discard the refresh token since you'll be using this ID token to create an API key.

Create an API key

API keys must be named. It's recommended to use the name of your application or internal automation process. You can create an API key with a request like this:

curl --request POST 'https://api.bridgeft.com/v2/auth-management/api-keys' \
--header 'Authorization: Bearer ID_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
    "name": "Application name"
}'

Where ID_TOKEN is the IdToken field from the above request. It is a Json Web Token that should be used as a bearer token.

The response will look like this:

{
    "id": 44,
    "user_id": 265,
    "profile_id": 257,
    "name": "Application name",
    "description": "",
    "key": "YOUR_API_KEY",
    "created_dt_utc": "2021-04-16T10:49:02Z",
    "object": "auth_management.apikey"
}

The API key is the value of the key field in this response.

Using an API key

You can now use the API key instead of the ID token for future API requests. For example, you can list accounts like this:

curl --request GET 'https://dev.api.bridgeft.com/v2/account-management/accounts' \
--header 'Authorization: Bearer YOUR_API_KEY'

Where YOUR_API_KEY is the API key obtained from above.

Managing API keys

API keys can be viewed and deleted from the /v2/auth-management/api-keys endpoint. They cannot be updated. See the API reference for more details.