OAuth
OAuth is a simple, secure, and standardized way to perform authentication without actually exchanging sensitive credentials like usernames and passwords.
Registration
You can't use OAuth with all institutions. Some institutions support OAuth, some don't, and some only support OAuth, which means you won't be able to authenticate using ordinary credentials.
Before you can use OAuth, you must register with the financial institution. This registration process is what provides the tokens required for a successful and secure authentication. We handle all these registrations for you, but you must request production access to the Platform API first. Request production access and apply for OAuth registration on the Client Dashboard.
Guides
These guides explain how to deal with OAuth while coding up to the MX API.
- Build an OAuth flow using our Connect Widget
- Use your own connection experience to build an OAuth flow in browsers
- Use your own connection experience to build an OAuth flow in mobile apps
OAuth WebView Limitations
OAuth flows require you to facilitate the redirect to the OAuth provider. Do not open the OAuth window in a Webview. Some institutions, such as Chase, have security restrictions for certain web containers or browsers.
OAuth URLs cannot be launched within insecure containers because they allow the mobile application or desktop app to intercept customer input and thus intercept customer credentials. If a user is on one of these containers, the OAuth flow will be blocked during the redirect. To reduce this risk, do not open the OAuth window in a WebView. Instead, load the OAuth URI in the device's default browser.
We've provided known and unknown supported methods:
| Supported Methods | Known Unsupported Methods |
|---|---|
|
|
Supported and unsupported containers may change as technology changes. The technology used to launch the OAuth flow must now have the ability to capture credentials.