This type of authentication is only available to select partners upon request.
This authentication flow is suitable for server-to-server integrations where authentication needs to be done without human intervention.
Your OpenAPI Application
When an application is created for you on OpenAPI, you will receive the following application details:
A URL uniquely representing your app.
|The URL of the Saxo Bank authentication & authorization server.|
|The Application key identifying your application.|
|The Application "secret" identifying your application.|
|Base URL for calling OpenAPI REST endpoints.|
These can be mapped to the necessary OAuth parameters:
Saxo App Value
|AuthenticationUrl + '/token'|
|Below parameters are static:|
|Must be 'urn:saxobank:oauth:grant-type:personal-jwt'|
Obtaining a Certificate
After having received your application, you need to obtain a certificate, please follow the steps described here to get it: Managing Certificates in MyAccount
Creating the JSON Web Token
For an introduction to JWTs, see this Introduction to JSON Web Tokens
We require the JWT to be created with the following header and claims:
|Thumbprint of X509 certificate used for signing JWT. Cert downloaded from MyAccount.||RFC 7515|
|Algorithm used to sign JWT. We only support RS256 at the moment.||RFC 7518|
Issuer - Value should be AppKey of client application.
UserId - Value should be the user id for which token is needed.
Expiry - Value should be a unix time stamp indicating expiry of the token.
Audience - Value should be the AuthenticationUrl
AppUrl - The AppUrl of your application.
Requesting the Access Token
Once the JWT has been created and signed, it can be exchanged for an access token by sending a POST request to the token_url. This request needs to be authenticated using HTTP Basic Auth with your client_id as username and client_secret as password. The basic auth should be a base64 encoded string in the following format: "client_id:client_secret". The JWT is sent in a parameter named 'assertion'
If your OAuth library does not support sending the credentials as HTTP Basic Auth, we also accept them as part of the post body:
The response to this request will contain an access_token and a refresh_token:
See the code sample in NodeJs for CBA.