A basic token is used for authentication with all types of authorization requests and a bearer token is used for post authentication requests. For example:
- Basic base64 (client_id:client_secret) (used for creating and interacting with Authorize APIs)
- Bearer access_token (used for all other resource APIs)
- A Client Credential Grant is when your application merely needs to receive Citi data but not a customer’s – for example, you are using the onboarding API to retrieve or submit credit card offers. In short, it lets us know that you are a validated API consumer.
- An Authorization Code Grant is when you need a customer’s permission to retrieve their data – such as their account information or transaction information.
- You need to implement multi-factor authentication when you perform a high-risk transaction, such as making a money transfer.
- For a detailed list of differences and which API domains require which type of token, take a look at our Authorize Guide.
- Authcode (what you use to exchange for an access token) - 120 seconds
- access_token (what you need to call other APIs) - 30 minutes
- refresh_token (how you can programmatically refresh your access token) - 30 days
It could be a variety of issues, but here are some common problems. If these don’t help, please let us know at our contact us page.
- Check that your client-id and secret are correctly matched against the application you created.
- Verify your base-64 encoding has been correctly formatted per the authorization documentation
- Ensure that Basic is pre-fixed to the encoded client_id and client_secret while making your token call.
- Make sure that your access token is not invalidated or expired.