getneo
  1. Endpoints
getneo
  • Introduction
  • API examples
  • Technical topics
    • API structure
    • HTTP headers
    • Decoupled responses
    • Validation failures (418)
  • Endpoints
    • Auth
      • Get service bearer token (password)
        GET
      • Change tenant
        GET
      • End session
        GET
    • Counterparties
      • Get all counterparties
        GET
      • Get counterparty by ID
        GET
      • Get draft counterparty by ID
        GET
      • Submit counterparty draft
        POST
      • Update counterparty draft
        POST
      • Delete a counterparty draft
        DELETE
      • Add account to counterparty
        POST
      • Update counterparty account
        PATCH
      • Export counterparty data
        POST
    • Payments
      • Get all payments
        GET
      • Get a payment by ID
        GET
      • Make a payment (deposit, withdrawal or internal)
        POST
  1. Endpoints

Authentication and Authorisation

Request Authentication#

Unless stated otherwise and tagged anonymous, all requests require the user to be authenticated.
Additionally, all requests require the user to be logged in to a tenant corp, unless tagged no-tenant, which means that the request affects the user, not their current tenant.

Authentication Types#

Bearer token by service password#

Warning
This is the legacy authorisation method for service accounts still using a password (might be referred to as "API key").
You can check this by looking at the service in your Users list ; if you don't see an "API Keys" section, you are still using a password.
Bearer authentication is achieved through the GET (auth)/auth/login request including a Authorization: Plaintext (login_id) (api_key) header, with a bearer token value provided on success.
All subsequent requests must provide the supplied bearer token in each request, using the Authorization: Bearer ... header.
Example
Request:
Response:

Bearer token by service API key#

Note
This is only available if your service account profile has the "API Keys" section.
Bearer authentication is achieved through the GET (auth)/auth/login request including a Authorization: API_HMAC ... header, with a bearer token value provided on success.
The value of the header is an HMAC SHA256 hash of the username and current UNIX timestamp. The timestamp must be within 30 seconds of either side of the current server time (synchronised UTC).
Pseudo-code
All subsequent requests must provide the supplied bearer token in each request, using the Authorization: Bearer ... header.
Example
Request:
Response:

Two-Factor Authentication Checks#

Be aware
Service accounts currently do not support two-factor authentication and requests requiring such will fail.
There is a roadmap proposal for this feature, but it currently has no timeframe.

Request Authorisation#

If specific tenant permissions are required to invoke a request, they will be detailed in the request description, including any permissions specific to accessing the entity.
Example
Modifying a user's roles requires the user / modify permission, but you must already have the user / view permission to be able to see that the user is a member of the tenant.

Role-based access management#

User authorisation is handled per tenant using "security roles", where these are a set of permissions that can be "granted" or "denied".
A user's final set of abilities (the set of permissions that apply to them for the current tenant) is the intersection of all granted permissions without any of the denied ones, plus any internal abilities provided based on other factors.
Example
 user / viewuser / modifyuser / delete
Role 1 Grant DenyUnset
Role 2Unset Grant Grant
Applied to user Applied Denied Applied
Some abilities support "contexts". For example, user / view in the self context will grant/deny the user to see their own user profile. The others context applies to all non-self entities.
Modified at 2025-06-28 20:26:00
Previous
Validation failures (418)
Next
Get service bearer token (password)
Built with