Third Party Data Exchange
The Platform API's Data Exchange endpoints let you share financial data with service providers, external partners, and vendors. The process has two parts that work together: first, you establish a client grant; then, the grantee exchanges that grant for a token and uses it to access Data Exchange endpoints.
Terms and Roles
| Term | Description |
|---|---|
| Client grant | Permission issued by one MX client (issuer) to one or more MX clients (grantees) to access shared data. |
| Issuer | The MX client that owns the data and issues the grant. |
| Grantee | An MX client that has been granted access to the issuer data. |
| Grant party | The unique combination of one issuer and all associated grantees. Only one active grant can exist per grant party. |
| Data Recipient | Grantee role that receives data and delivers the service. It may pull data from MX directly or receive it from a Data Collector. |
| Data Collector | Grantee role that pulls data from MX and passes it to the Data Recipient without storing it. |
Workflow
| Step | What happens | Responsible party |
|---|---|---|
| 1. Create and manage the client grant | Define grant party and data scope, then request grant creation, renewal, or revocation | Client and MX Support team |
| 2. Read grant and create token | Confirm the grant is active and exchange the grant for a Data Exchange token | Provider |
| 3. Access Data Exchange endpoints | Use Platform API credentials plus the Data Exchange token to pull data | Provider |
Create and manage the client grant
To issue a client grant to one or more service providers, contact Support and provide the following information:
- A list of service providers and their role: Data Collector or Data Recipient
- The source of data to exchange:
- Held data: Data owned by the client issuing the grant
- Aggregated data: Data collected by MX through end user-authorized connected institutions
- All data: Access to both held and aggregated data
The issuer and the full set of grantees form the grant party. For every grant party, there can be only one active grant. Grants expire one year from the date they are issued and can be extended by renewing. Grants can be revoked or re-issued at any time and take effect immediately. Renewing a grant does not interrupt concurrent data exchanges and does not require service providers to acquire a new token.
To revoke or renew a client grant identified by a specific grant party, contact Support.
Client grant endpoints:
- List Grants By Issuer
- List Grants By Grantee
- Read Grant By Grant Party
Read the grant and exchange it for a token
After Support has created the client grant, the grantee can query for that
grant by grant party using the client GUID of the issuer and the full set of
grantees. If the client grant is still active, exchange it for a signed,
Base64-encoded JWT by calling the Create Token endpoint with the grantee
client_guid and the grant guid.
The token is valid for 1 hour.
Endpoints used in this step:
- Read Grant By Grant Party
- Create Token
Read Grant By Grant Party Example
_10curl -L -X POST 'https://int-api.mx.com/data_exchange/grant?issuer={issuer_client_guid}&grantees[]=grantee_client_guid1&grantees[]=grantee_client_guid2' \_10 -H 'Accept: application/json' \_10 -H 'AcceptVersion: rc20260430' \_10 -H 'Authorization: Basic BASE_64_ENCODING_OF{client_id:api_key}'
If the client grant is still active, it is returned and can be exchanged for a signed Base64-encoded JWT.
Create Token Example
_10curl -L -X POST 'https://int-api.mx.com/data_exchange/grantee/{:client_guid}/grants/{:grant_guid}/token' \_10 -H 'Accept: application/json' \_10 -H 'AcceptVersion: rc20260430' \_10 -H 'Authorization: Basic BASE_64_ENCODING_OF{client_id:api_key}'
Use the returned token to pull data from namespaced Data Exchange endpoints.
Authenticate and access Data Exchange endpoints
Data Exchange requests require two forms of authentication on every request:
- Standard Platform API credentials: your
client_idandapi_keypassed as a Base64-encoded Basic Auth header. - Data Exchange token: a signed, Base64-encoded JWT passed in the
MX-3DX-TOKENrequest header.
Use the token to call namespaced Data Exchange endpoints such as:
- List Users
- List Accounts
- List Transactions
List Users Example
_10curl -L -X GET 'https://int-api.mx.com/data_exchange/users' \_10 -H 'Accept: application/json' \_10 -H 'AcceptVersion: rc20260430' \_10 -H 'Authorization: Basic BASE_64_ENCODING_OF{client_id:api_key}' \_10 -H 'MX-3DX-TOKEN: token'