Authentication - Onboard Developer Documentation

Overview

To interact with the Onboard Connect API, 3rd party clients must authenticate using one of the following methods:

Session-based authentication (x-auth-token) - Used for requests requiring an authenticated user session.
API Key authentication (x-api-key) - Used to identify your 3rd party application.
HMAC Signature authentication - Required for more sensitive endpoints (e.g., user creation), ensuring request integrity.

Check the specific endpoint documentation to determine which authentication method is required.

Authentication methods

Session-Based Authentication

Used for endpoints requiring an authenticated user session.

Steps: Obtain an x-auth-token after completing user authentication (e.g., OTP login).

Include this token in the request headers:

Authorization: Bearer <x-auth-token>

Example Request:

GET /users/me
Authorization: Bearer <x-auth-token>

API Key Authentication

Some endpoints require your API key to identify your application as the requesting 3rd party client.

Steps:

Retrieve your API key from the Business Dashboard after onboarding.
Include the API key in either:

x-api-key: <your-api-key>

Some endpoints require x-api-key while others do not. Check the endpoint’s documentation to confirm.

HMAC Signature Authentication

Certain sensitive endpoints, such as user creation, require an HMAC SHA-256 signature for verification. Requests without a valid signature will be rejected.

Required Headers:

Header	Description
x-api-key	Found in the Business Dashboard
x-signature	HMAC-SHA256 signature of the request body
x-timestamp	Unix timestamp (seconds) when the signature was generated

How to generate `x-signature`

The signature is generated using HMAC SHA-256 with your API secret as the key.

Example (JavaScript):

const crypto = require('crypto');

const timestamp = Math.ceil(Date.now() / 1000);
const apiSecret = "Onboard API secret"; // Found in the Business Dashboard
const requestBody = JSON.stringify({ /* your request body */ });

const params = [`t=${timestamp}`, requestBody].join('&');
const signature = crypto.createHmac('sha256', apiSecret).update(params).digest('hex');

console.log(`x-signature: ${signature}`);

Making a secure API request

Include the following headers in your request:

x-api-key: <your-api-key>
x-signature: <computed-signature>
x-timestamp: <epoch-timestamp>

x-timestamp must be within 30 seconds of the current time. Older timestamps will result in a 403 Forbidden error.

Unauthorized Requests: Endpoints that require authentication will return a 401 Unauthorized status code for missing or invalid credentials.

Onboard Connect APIs

​Overview

​Authentication methods

Overview

Authentication methods