API Authentication

Learn how to authenticate with our API

In this section, we will discuss how to authenticate to our Venly API products which contain the Wallet, NFT and PAY-API.

๐Ÿ“˜

Venly uses OAuth + JWT authorization for its APIs.

Authentication Flow Diagram

Authentication Flow

Authentication Flow

Authentication Steps

Authenticating API Services

Authenticating API Services

To authenticate calls for API products, follow these steps:

1. Obtain Access Credentials

Get your Client ID and Client Secret from the authentication section of the Developer Portal.

๐Ÿšง

There are two types of access credentials:

  • Sandbox Credentials (For the sandbox environment to test with testnets)
  • Production Credentials (For the production environment for deploying on mainnet)

You can switch between the access credentials from the authentication page by hitting the toggle button.

Access Credentials - Developer Portal

Access Credentials - Developer Portal

2. Request Access Token

Make a POST request to the authentication endpoint with your client credentials to get an access_token (bearer token).

๐Ÿ“˜

Use sandbox credentials with the sandbox endpoint and production credentials with the prodution endpoint.

Sandbox Environment Endpoint (Runs on testnet chains and is used for trying out or testing purposes):

POST https://login-sandbox.venly.io/auth/realms/Arkane/protocol/openid-connect/token

Production Environment Endpoint (Runs on mainnet chains and used for real API calls):

POST https://login.venly.io/auth/realms/Arkane/protocol/openid-connect/token

Request Body:

{
    "grant_type": "client_credentials", //this will be "client_credentials"
    "client_id": "<your_client_id>",
    "client_secret": "<your_client_secret>"
}
NameTypeDescription
grant_typestringThis will be client_credentials
client_idstringClient ID provided to you by Developer Portal.
client_secretstringClient Secret provided to you by Developer Portal.

Response Body

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmQi1UenBOb0hBVGhwT2J4aW9qTDBrdm83MldmRzRXRXh1eFpiaXlGQUhzIn0.eyJleHAiOjE2OTU5ODg0OTksImlhdCI6MTY5NTk4ODEzOSwianRpIjoiMWZlMDk0YjUtZWZkYy00Yjk1LWEzMWYtMzQxM2E4MjcwMzFlIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi1zdGFnaW5nLmFya2FuZS5uZXR3b3JrL2F1dGgvcmVhbG1zL0Fya2FuZSIsImF1ZCI6WyJyZWFsbS1tYW5hZ2VtZW50IiwiTkZULUFQSSIsIkFya2FuZUNvbm5lY3QiXSwic3ViIjoiMDQ0Y2VhNDEtY2IyNy00OGUzLTliZDAtM2E3OWRmMGZhMTNiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZHJpbGEtY2Fwc3VsZSIsInNlc3Npb25fc3RhdGUiOiJmYjhhYzgxMi0yODVjLTQ3NDctYTIzNi1jYzAxODM1MjY4ZjIiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHBzOi8vYXBpLXN0YWdpbmcudmVubHkubWFya2V0IiwiaHR0cHM6Ly9hcGktd2FsbGV0LXN0YWdpbmcudmVubHkuaW8iLCJodHRwczovL2FwaS1idXNpbmVzcy1zdGFnaW5nLnZlbmx5LmlvIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJDb25uZWN0IGFkbWluIiwiTkZULUFQSSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsicXVlcnktY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiTkZULUFQSSI6eyJyb2xlcyI6WyJtYW5hZ2U6dG9rZW5zIiwidmlldzppdGVtcyIsIm1hbmFnZTp0b2tlbi10eXBlcyIsIm1hbmFnZTpjb250cmFjdHMiLCJtaW50OnRva2VucyIsInVwbG9hZDptZWRpYSIsInZpZXc6ZW52aXJvbm1lbnRzIiwiY3JlYXRlOm1pbnRlci13YWxsZXQiLCJjcmVhdGU6Y29tcGFueS1taW50ZXItd2FsbGV0IiwibWFuYWdlOm1pbnRlci13YWxsZXQiLCJtYW5hZ2U6YXBwcyJdfSwiQXJrYW5lQ29ubmVjdCI6eyJyb2xlcyI6WyJldmljdDpjb25uZWN0LWNhY2hlIl19fSwic2NvcGUiOiJ2aWV3OndhbGxldHMgd2hpdGVsYWJlbCBleHBvcnQ6d2FsbGV0cyBlbWFpbCB2aWV3OndhbGxldC1hbmFseXRpY3Mgc2F2ZTpzaWduYXR1cmUgdXNlOmFsbC13YWxsZXRzIHNpZ246d2FsbGV0cyB2aWV3OnByb2ZpbGUgdmlldzphcmNoaXZlZC13YWxsZXRzIHNhdmU6dHJhbnNhY3Rpb24gcHJvZmlsZSIsImNvbXBhbmllcyI6W3siaWQiOiIxNzhkYzM4Zi1mM2VjLTQyMWQtYWY3Mi0wZDE3MjRjNTZkOWUiLCJuYW1lIjoiRHJpbG9uIn1dLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoiZHJpbGEtY2Fwc3VsZSIsImNsaWVudEhvc3QiOiIzOS41OS4xMy44MiIsIm5pY2tuYW1lIjoiQ29uanVyaW5nUXVldHphbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1kcmlsYS1jYXBzdWxlIiwiY2xpZW50QWRkcmVzcyI6IjM5LjU5LjEzLjgyIn0.Yy7m4wbK7OdUgNuS55OFMj-0dVBN57gw1n7yQ9fYxXYfOJy80fnuFzCD8gMoLWUEdpGGb9WmhVj8tpYGkn18MoA5RUT5AgbcLYF7CCCJKupJu9blfCGsusAcvqd8z295ps8ZT6DWfrdJcYrMmrrZqYrRMngMJJdHc6uGCEAXfaWuC3dO1ykT-QSvtMqi7VNXV_UJ63EfrLfnvHEUKQWu1s-HyU_JYDPEtF4qRN2_RxfqjcJfm1sQUvrBZJFLdTu4CXJSpsRL6N04cCeoA4RM3kM6GlxNQIcYV9laIx5Ct6HANHUf-XXUU_-AAMEKT4B2f9l1e8LtFkva9BevaXXB5A",
    "expires_in": 360,
    "refresh_expires_in": 3456000,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlOTVlMDc2NC1lZmVkLTQyMmEtYmU0Mi1iZTcwYmY1Nzg2NDYifQ.eyJleHAiOjE2OTk0NDQxMzksImlhdCI6MTY5NTk4ODEzOSwianRpIjoiMjk3YTFmYmYtODVjZS00ZmZjLWJiNWQtNTJlNWYwZDk2YmRmIiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi1zdGFnaW5nLmFya2FuZS5uZXR3b3JrL2F1dGgvcmVhbG1zL0Fya2FuZSIsImF1ZCI6Imh0dHBzOi8vbG9naW4tc3RhZ2luZy5hcmthbmUubmV0d29yay9hdXRoL3JlYWxtcy9BcmthbmUiLCJzdWIiOiIwNDRjZWE0MS1jYjI3LTQ4ZTMtOWJkMC0zYTc5ZGYwZmExM2IiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiZHJpbGEtY2Fwc3VsZSIsInNlc3Npb25fc3RhdGUiOiJmYjhhYzgxMi0yODVjLTQ3NDctYTIzNi1jYzAxODM1MjY4ZjIiLCJzY29wZSI6InZpZXc6d2FsbGV0cyB3aGl0ZWxhYmVsIGV4cG9ydDp3YWxsZXRzIGVtYWlsIHZpZXc6d2FsbGV0LWFuYWx5dGljcyBzYXZlOnNpZ25hdHVyZSB1c2U6YWxsLXdhbGxldHMgc2lnbjp3YWxsZXRzIHZpZXc6cHJvZmlsZSB2aWV3OmFyY2hpdmVkLXdhbGxldHMgc2F2ZTp0cmFuc2FjdGlvbiBwcm9maWxlIn0.D1ceJfK3eSVoanPAIYBEhqGPgCOEhmVltKAu4kz4Q_o",
    "token_type": "bearer",
    "not-before-policy": 1572970662,
    "session_state": "fb8ac812-285c-4747-a236-cc01835268f2",
    "scope": "view:wallets whitelabel export:wallets email view:wallet-analytics save:signature use:all-wallets sign:wallets view:profile view:archived-wallets save:transaction profile"
}

3. Use Access Token

Include the access_token in the Authorization header of your API requests as a Bearer token.

Authorization: Bearer <your_access_token>

4. Refresh Token (if needed)

The access token is valid for 6 minutes. After 6 minutes, you will need to request a new access token. This can be done by performing the same call.

๐Ÿ“˜

The refresh_token is provided but is deprecated and should not be used to receive a new access_token. Use the same method to request a new access token instead.

Using the Bearer token in the API calls

In the result of the previous call, an access_token is returned. This access_token must be passed with every API call you do (as a Bearer token in the authorization header).

To run API calls on our documentation tool, you can enter the access_token as shown below to authenticate calls:

Entering Bearer Token to Authenticate API Calls

Entering Bearer Token to Authenticate API Calls

Video Guide

๐Ÿ‘

Learn more about our different APIs, Wallet-API, NFT-API and PAY-API

API Security, best practices

Authentication is a critical aspect of securing access to resources. Following best practices and using secure authentication methods can protect your system and its data from unauthorized access. To learn more about best security practices for API security, please refer to the guide below.

๐Ÿ“˜

Learn more about the best practices for API security.