Skip to main content
FreshCreditFreshCredit®INC
Documentation / Authentication /

Authentication

OAuth 2.0 flows, API key management, webhook signatures, JWT handling, and security best practices for production.

Authentication Methods /

API Key Authentication

Use API keys for server-to-server authentication. Include your key in the Authorization header with Bearer prefix.

// Request header
Authorization: Bearer fc_live_xxxxxxxxxxxxxxxx

// Generate HMAC signature
const crypto = require('crypto');
const signature = crypto
  .createHmac('sha256', API_SECRET)
  .update(timestamp + method + path + body)
  .digest('hex');

// Include signature header
X-FreshCredit-Signature: {signature}
X-FreshCredit-Timestamp: {unix_timestamp}

OAuth 2.0

For user-delegated access, use OAuth 2.0 authorization code flow. Users authorize your application to access their FreshCredit data.

// Step 1: Redirect user to authorization endpoint
https://app.freshcredit.com/oauth/authorize?
  response_type=code&
  client_id=your_client_id&
  redirect_uri=https://your-app.com/callback&
  scope=blockid:read blockscore:read&
  state=random_state_string

// Step 2: Exchange code for access token
POST https://api.freshcredit.com/v1/oauth/token
{
  "grant_type": "authorization_code",
  "code": "auth_code_from_callback",
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "redirect_uri": "https://your-app.com/callback"
}
OAuth Scopes /
blockid:readRead identity verification status and credentials
blockid:writeInitiate identity verification workflows
blockscore:readRead credit scores and model outputs
blockscore:writeCreate and update custom credit models
blockiq:readRead offer matching data and marketplace info
blockiq:writeCreate and manage offers
wallet:readRead user's self-custody wallet data
webhooksConfigure and manage webhook endpoints
Webhook Security /

Webhook Signature Verification

All webhooks include a signature header. Verify signatures to ensure requests originate from FreshCredit.

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler
app.post('/webhooks/freshcredit', (req, res) => {
  const signature = req.headers['x-freshcredit-signature'];
  const payload = JSON.stringify(req.body);
  
  if (!verifyWebhookSignature(payload, signature, WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook
  handleWebhook(req.body);
  res.status(200).send('OK');
});
Security Best Practices /

Store Credentials Securely

Never expose API secrets in client-side code. Use environment variables and secret management systems like AWS Secrets Manager or HashiCorp Vault.

Rotate Keys Regularly

Rotate API keys every 90 days. FreshCredit supports multiple active keys for zero-downtime rotation.

Use HTTPS Only

All API requests must use HTTPS. Unencrypted HTTP requests are rejected.

Next Steps

Explore BlockID™Download SDKs