Fuse APIs use the standards compliant oAuth 2.0 "Client Credentials" flow for all requests.
Whilst covering the details of oAuth is beyond the scope of this documentation, below you can find some important concepts you will need to keep in mind as you authenticate and use the Fuse APIs.
Configuring Your Client
To configure oAuth in the client of your choice, ensure you have the following things set:
- The "grant type" should be set to "Client Credentials"
- The "access token URL" should be set to
https://auth.fuse.paveapp.com/oauth/token(regardless of whether using production or sandbox) - The "client ID" should be set to the value for your account shown on the Fuse Dashboard's API Keys page. For Sandbox, see the same page on the Fuse Sandbox Dashboard.
- The "client secret" should be set to the value for your account shown on the Fuse Dashboard's API Keys page. For Sandbox, see the same page on the Fuse Sandbox Dashboard.
Client Secrets
When first setting up the Fuse APIs you will be provided with a set of a Client ID and a Client Secret, which you can find on the Fuse Dashboard's API Keys page. For Sandbox, see the same page on the Fuse Sandbox Dashboard. These should be treated as confidential, stored somewhere secure and access limited where possible.
Critical
If you have reason to believe that your Client Secret has been leaked, please contact Pave immediately so your old credentials can be revoked and new ones issued to you.
Refreshing Tokens
You use your Client ID and Client Secret to issue API tokens, at the endpoint https://auth.fuse.paveapp.com/oauth/token.
The validity period of API tokens is 10 hours, and a new one will need to be created after this period elapses for security reasons.
Scopes
Every API token can optionally have scopes applied. These scopes determine what the API token has access to when calling the Fuse APIs. The following scopes are available to use when you create a token:
bank_connections— Access to bank connections for users, including authorising new onesbyod— Access to populate account and transaction data for users from your own data sourcesrecurring_transactions— Access to recurring transactions for userstransactions— Access to transactions for usersusers— Access to users
Each scope implies create/read/update/delete privileges for the resources within that scope.
If a token has scopes applied to it, it can only access the resources explicitly permitted by those scopes. If a specific scope is not included, the token is denied access to the resources or actions associated with that scope.