Introduction
The Service Provider Backend APIs allow you to manage custom data for your users.
Base URL
The Service Provider Backend APIs are served over HTTPS, and provided as endpoints under:
where <host-name> has the following value depending on the environment:
- Sandbox:
api.bindid-sandbox.io
- Production:
api.bindid.io
- Production EU:
api.eu.bindid.io
Authorization
Authentication is performed using an OAuth2 Access Token in the Authorization request header field.
The Authorization
header value should have the following form, where the tokens are replaced according to the descriptions below:
Token | Description |
---|---|
<accesstoken> | Access token associated with the request. If not present, the access token will be taken from the subject_session_at field in the body if present; otherwise, an unauthorized response is returned. If the access token is passed in both the header and body, they must match. Note that some requests may require a subject_session_at field in the body. |
<authvalue> | Base-64 encoded HMAC-SHA256 on the access token associated with the request, where the HMAC is calculated using the service provider client secret as the key (see the Java code sample below). |
This sample Java code generates the <authvalue> and constructs the Authorization header value:
Errors
The following types of errors will be returned in case of failure.
Unauthorized
For an API call specifying an invalid access token or one that does not belong to the authenticating client ID, the response will be an HTTP 403 Forbidden response:
Applicative
Applicative failure cases will be reported as an HTTP 200 OK response, with an application/json
header and a JSON body with the following structure:
Field Name | Description | Type |
---|---|---|
status_code | A symbolic error code. | String |
For example:
Others
Each API may indicate other failure responses. All APIs may also return a 500 error in case of an internal server error.