Authorization Introduction

Please review the Getting Started article for helpful information on setup, including obtaining the credentials necessary for Authorization.

SVB APIs rely on OAuth for authentication. Before you can interact with any SVB APIs, you need to obtain an OAuth JWE token (JSON web encrypted token)(https://datatracker.ietf.org/doc/html/rfc7516) following IANA reserved claims. Tokens issued are short-lived and valid specific to the scope issued.

SVB API's uses  JSON Web signature(JWS) (https://datatracker.ietf.org/doc/html/rfc7515)  for non-repudiation, it MUST be signed using client secret and detached the content for the resource calls. The JWS signature of the body of the payload must be send over x-jws-signature custom HTTP header. Please find a walkthrough for generating the JWS here.

SVB opted for the detached signature option because:

  • it avoids obfuscating request/response bodies by wrapping them in a JWS envelope
  • request/responses that provide a malformed x-jws-signature header can be rejected before ever reading the full HTTP body

Note: for added security, clients can optionally request SVB to setup mTLS authentication or IP address/range filtering

 

OAuth 2.0:

SVB APIs use the OAuth 2.0 protocol for authentication and authorization. The OAuth Client Credentials grant type is used by clients to obtain an JSON Web encrypted token outside of the context of a user.

To access the SVB resource server, the client application must authorize itself with valid client credentials. SVB authorization service uses the client credentials grant in order to authorize machine-to-machine requests. The steps for the process are as follows:

1.An app makes a POST request to the authorization service and specifies the following parameters:

NAME DESCRIPTION
 Authorization In order to indicate that the app is authorized to make the request, the Authorization header for this request is set as “Basic BASE64(CLIENT_ID:CLIENT_SECRET)“, where BASE64(CLIENT_ID:CLIENT_SECRET) is the base64 representation of the app client ID and app client secret, concatenated with a colon. SVB will provide a valid CLIENT_ID and CLIENT_SECRET as part of the client on-boarding process.
grant_type Set to “client_credentials” for this grant type.
 content_type Set to “application/x-www-form-urlencoded”.
scope The scope of the token

 

2.The authorization server returns a JSON object with the following keys:

NAME DESCRIPTION
 token_type Set to “Bearer”
issued_at Refers to the UNIX timestamp of our system.
access_token A valid JWE(json web encrypted token)(https://datatracker.ietf.org/doc/html/rfc7516) following IANA reserved claims.
expires_in The length of time (in seconds) for which the provided access token is valid.

Authorization Example

The client app uses the JWE token to make requests to an associated SVB resource server. The SVB resource server validates the received token and, upon a successful validation, executes the required action depending on the type of the resource call.

Sample Creation Request in CURL
curl --location --request POST 'https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization: Basic BASE64(CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=fx'

 

Sample Creation Response
{ "token_type": "Bearer", "issued_at": 1625624530, "access_token": "xxxxxxxx", "scope": "fx", "expires_in": 600 }

Error scenarios:

Invalid Username and Password: If the application consumer provides an invalid app client id or secret, the authorization server will return HTTP 401.

Example: Request
curl --location --request POST https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization:Basic BASE64(INVALID CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=fx'

 

Example: Response
{
"error": "invalid_client",
"error_description": "Client credentials are invalid.",
"error_uri": "http://developer.svb.com/errors"
}

 

Missing Authorization Header: If the application consumer miss Authorization header, the authorization server will return HTTP 401 .

Example: Request
curl --location --request POST 'https://api.svb.com/v1/security/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials'

 

Example: Response
{
"error": "invalid_client",
"error_description": "Client credentials are invalid.",
"error_uri": "http://developer.svb.com/errors"
}

 

Invalid Content-Type: If the application consumer provides an invalid content type, the authorization server will return HTTP 415 Unsupported Media Type. 

Example: Request
curl --location --request POST 'https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization:Basic BASE64( CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/json' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=fx'

 

Example: Response
{
"error": "invalid_request",
"error_description": "Mandatory param Content-Type is invalid.",
"error_uri": "http://developer.svb.com/errors"
}

 

Invalid Grant-Type: If the application consumer provides no grant type, authorization server will return HTTP 400. 

Example: Request
curl --location --request POST 'https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization:Basic BASE64( CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=fx'

 

Example: Response
{
"error": "invalid_request",
"error_description": "Mandatory param grant_type is null.",
"error_uri": "http://developer.svb.com/errors"
}

 

Incorrect Grant-Type: If the application consumer provides an incorrect grant type, the authorization server will return HTTP 400. 

Example: Request
curl --location --request POST 'https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization:Basic BASE64( CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'scope=fx'

 

Example: Response
{
"error": "unsupported_grant_type",
"error_description": "Mandatory param grant_type is invalid.",
"error_uri": "http://developer.svb.com/errors"
}

 

Non-existent Grant-Type: If the application consumer provides an incorrect grant type, the authorization server will return HTTP 400. 

Example: Request
curl --location --request POST 'https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization:Basic BASE64( CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=test' \
--data-urlencode 'scope=fx'

 

Example: Response
{
"error": "unsupported_grant_type",
"error_description": "Mandatory param grant_type is invalid.",
"error_uri": "http://developer.svb.com/errors"
}

 

Invalid request Verb: If the application consumer provides an incorrect request verb, the authorization server will return HTTP 405.

Example: Request
curl --location --request GET 'https://api.svb.com/v1/security/oauth/token' \
--header 'Authorization:Basic BASE64( CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=fx'

 

Example: Response
{
"error": "invalid_request",
"error_description": "Method GET not allowed.",
"error_uri": "http://developer.svb.com/errors"
}

 

Invalid client with revoked/not approved app: If the application consumer provides credentials which is revoked/not approved app, the authorization server will return HTTP 401.

Example: Request
curl --location --request POST 'https://api.svb.com/v1//security/oauth/token' \
--header 'Authorization:Basic BASE64( REVOKED CLIENT_ID:CLIENT_SECRET) ' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=fx'

 

Example: Response
{
    "error": "invalid_client",
    "error_description": "API key has not been approved or has been revoked",
    "error_uri": "http://developer.svb.com/errors"
}

 

Resource Server Error Scenarios:

If the application consumer provides an invalid authorization type, SVB resource server will return HTTP 401.

Missing Authorization header

Example: Request
curl --location --request POST 'https://api.svb.com/v1/payment/wires' \
--header 'Content-Type: application/json' \
--header 'x-jws-signature: eyJraWQiOiJjMzlkMjAxZC05MDIwLTQzOGMtYjA2YS0yMzljNjY3ZDhkZWQiLCJ0eXAiOiJKT1NFIiwiYWxnIjoiSFMyNTYifQ..jQHRD_9DbY5hjTzRopnH8_gsqcLz44t1uP6on5ykUIU' \
--header 'Content-Type: text/plain' \
--data-raw '{
"debit_account": "3300187974",
"amount": {
"currency_code": "USD",
"value": "12.78"
},
"processing_date": "2021-06-30",
"beneficiary_details": {
"beneficiary_account": "65768776",
"beneficiary_name": {
"given_name": "Ntest OP"
},
"beneficiary_address": {
"country": "US"
}
},
"beneficiary_bank": {
"bank_name": "Wells Fargo",
"bank_address": {
"country": "US"
},
"routing_number": "021000021"
},
"payment_details": {
"reason_for_payment": "testwires30June01",
"bank_instruction": "BankInst30June01"
}
}'

 

Invalid JWE token value after Bearer

Example: Request
curl --location --request POST 'https://api.svb.com/v1/payment/wires' \
--header 'Authorization: Bearer INVALID JWE Token' \
--header 'Content-Type: application/json' \
--header 'x-jws-signature: eyJraWQiOiJjMzlkMjAxZC05MDIwLTQzOGMtYjA2YS0yMzljNjY3ZDhkZWQiLCJ0eXAiOiJKT1NFIiwiYWxnIjoiSFMyNTYifQ..jQHRD_9DbY5hjTzRopnH8_gsqcLz44t1uP6on5ykUIU' \
--data-raw '{
"debit_account": "3300187974",
"amount": {
"currency_code": "USD",
"value": "12.78"
},
"processing_date": "2021-06-30",
"beneficiary_details": {
"beneficiary_account": "65768776",
"beneficiary_name": {
"given_name": "Ntest OP"
},
"beneficiary_address": {
"country": "US"
}
},
"beneficiary_bank": {
"bank_name": "Wells Fargo",
"bank_address": {
"country": "US"
},
"routing_number": "021000021"
},
"payment_details": {
"reason_for_payment": "testwires30June01",
"bank_instruction": "BankInst30June01"
}
}'

 

Missing JWE token after Bearer

Example: Request
curl --location --request POST 'https://api.svb.com/v1/payment/wires' \
--header 'Authorization: Bearer' \
--header 'Content-Type: application/json' \
--header 'x-jws-signature: eyJraWQiOiJjMzlkMjAxZC05MDIwLTQzOGMtYjA2YS0yMzljNjY3ZDhkZWQiLCJ0eXAiOiJKT1NFIiwiYWxnIjoiSFMyNTYifQ..jQHRD_9DbY5hjTzRopnH8_gsqcLz44t1uP6on5ykUIU' \
--data-raw '{
"debit_account": "3300187974",
"amount": {
"currency_code": "USD",
"value": "12.78"
},
"processing_date": "2021-06-30",
"beneficiary_details": {
"beneficiary_account": "65768776",
"beneficiary_name": {
"given_name": "Ntest OP"
},
"beneficiary_address": {
"country": "US"
}
},
"beneficiary_bank": {
"bank_name": "Wells Fargo",
"bank_address": {
"country": "US"
},
"routing_number": "021000021"
},
"payment_details": {
"reason_for_payment": "testwires30June01",
"bank_instruction": "BankInst30June01"
}
}'

 

Example Response for various scenarios above

Example: Request
{
"name": "INVALID_TOKEN",
"id": "161409e4-e35c-48e4-9f51-5b0fc1e92874",
"message": "Token is invalid",
"time": "2022-01-27T19:17:36.483Z",
"errors": [
{
"keyword_location": "Authorization",
"in": "header",
"message": "Token is invalid"
}
],
"links": [
{
"href": "https://developer.svb.com/errors/INVALID_TOKEN",
"rel": "error_details",
"enc_type": "application/json"
}
]
}