Authentication

Authentication model
Expected patterns
Request headers
Authorization approach

Authentication model

Finpace APIs are intended to be protected by OAuth 2.0 and OpenID Connect at the gateway and resource-server layers. Access decisions are evaluated against tenant, client, role and operation scope.

Expected patterns

Client credentials for server-to-server integrations
Authorization code with PKCE for browser and mobile experiences
mTLS for high-trust institutional integrations where required
Signed webhook verification for callback consumers

Request headers

Authorization: Bearer <access_token>
X-Correlation-Id: 9c39f94d-c6c9-4f11-bf18-d8f4f8df2d9d
X-Idempotency-Key: 14f2c89f-781a-4f0a-bfa9-d85bfe6a0ac5
X-Tenant-Id: wb-001

Authorization approach

Entitlements are evaluated against the business action being requested, not only the endpoint path. This supports separation of duties, operational workbench permissions and step-up controls for sensitive servicing actions.

API Overview List product definitions

⌘I

Getting started

Generated endpoints

Products

Parties

Agreements & Entitlements

Onboarding

Accounts

Cash Management

SME Lending

Consumer Lending

Service Requests

Interactions

Notifications

Webhooks

Audit

Authentication model

Expected patterns

Request headers

Authorization approach

Getting started

Generated endpoints

Products

Parties

Agreements & Entitlements

Onboarding

Accounts

Cash Management

SME Lending

Consumer Lending

Service Requests

Interactions

Notifications

Webhooks

Audit

​Authentication model

​Expected patterns

​Request headers

​Authorization approach

Authentication model

Expected patterns

Request headers

Authorization approach