Skip to main content

OAuth Guide

OAuth is a simple, secure, and standardized way to perform authentication without actually exchanging sensitive credentials like usernames and passwords.

This guide explains how to properly deal with OAuth while coding up to the MX API whether you're developing for the browser or a mobile app. If you're using our Connect Widget for creating members on the MX platform, it deals with OAuth somewhat automatically. We've got separate guides if you're using Connect Widget.

Registration

When working with OAuth, keep the following information in mind:

  1. You can't use OAuth with all institutions — some support OAuth and some don't. On the other hand, some institutions only support OAuth, and you won't be able to authenticate using ordinary credentials.
  2. Before you can use OAuth, you must register with the financial institution. This registration process is what provides the tokens required for a successful and secure authentication. We handle all these registrations for you, but you must request production access to the Platform API first. Request production access and apply for OAuth registration on the Client Dashboard.

OAuth Webview Limitations

OAuth flows require you to facilitate the redirect to the OAuth provider. Do not open the OAuth window in a Webview. Some finanical instutitions, such as Chase, have security restrictions for certain web containers or browsers. For more information on Chase's suggestions for OAuth flows, visit the Chase Developer website.

OAuth URLs cannot be launched within insecure containers because they allow the mobile application or desktop app to intercept customer input and thus intercept customer credentials. If a user is on one of these containers, the OAuth flow will be blocked during the redirect. To reduce this risk, do not open the OAuth window in a WebView. Instead, load the OAuth URI in the device's default browser.

We've provided known and unknown supported methods:

Supported MethodsKnown Unsupported Methods
  • WKWebView
  • UIWebView
  • Android
  • WebView
info

Supported and unsupported containers may change as technology changes. The technology used to launch the OAuth flow must now have the ability to capture credentials.

Using MXbank and OAuth

It's important to note that there is only one OAuth institution available in the integrations environment: mx_bank_oauth, which is one of our test institutions. It will behave just like any other OAuth institution, and it does not require registration. Hence, everything you'll see in our OAuth guide only uses this test institution.

For more information about MXbank, review our guide on testing.

Workflows

Standard aggregation (of account an transaction data) will start after a successful OAuth connection. This can be disabled with the skip_aggregation parameter when creating a member.

On this page