A basic token is used for authentication with all types of authorization requests and a bearer token is used for post authentication requests. For example:
- Basic base64 (client_id:client_secret) (used for creating and interacting with Authorize APIs)
- Bearer access_token (used for all other resource APIs)
- A Client Credential Grant is when your application merely needs to receive Citi data but not a customer’s – for example, you are using the onboarding API to retrieve or submit credit card offers. In short, it lets us know that you are a validated API consumer.
- An Authorization Code Grant is when you need a customer’s permission to retrieve their data – such as their account information or transaction information.
- You need to implement multi-factor authentication when you perform a high-risk transaction, such as making a money transfer.
- For a detailed list of differences and which API domains require which type of token, take a look at our Authorize Guide.
- Authcode (what you use to exchange for an access token) - 120 seconds
- access_token (what you need to call other APIs) - 30 minutes
- refresh_token (how you can programmatically refresh your access token) - 30 days
It could be a variety of issues, but here are some common problems. If these don’t help, please let us know at our contact us page.
- Check that your client-id and secret are correctly matched against the application you created.
- Verify your base-64 encoding has been correctly formatted per the authorization documentation
- Ensure that Basic is pre-fixed to the encoded client_id and client_secret while making your token call.
- Make sure that your access token is not invalidated or expired.
You can switch between your teams at any time from the navigation bar. Once you switch teams you can view the API keys that your team mates have shared with you.