Skip to main content

OAuth Guide

OAuth is a simple, secure, and standardized way to perform authentication without actually exchanging sensitive credentials like usernames and passwords.

This guide explains how to properly deal with OAuth while coding up to the MX API whether you're developing for the browser or a mobile app. If you're using our Connect Widget for creating members on the MX platform, it deals with OAuth somewhat automatically. We've got separate guides if you're using Connect Widget.

Registration

You can't use OAuth with all institutions. Some institutions support OAuth, some don't, and some only support OAuth, which means you won't be able to authenticate using ordinary credentials.

Before you can use OAuth, you must register with the financial institution. This registration process is what provides the tokens required for a successful and secure authentication. We handle all these registrations for you, but you must request production access to the Platform API first. Request production access and apply for OAuth registration on the Client Dashboard.

OAuth Webview Limitations

OAuth flows require you to facilitate the redirect to the OAuth provider. Do not open the OAuth window in a Webview. Some institutions, such as Chase, have security restrictions for certain web containers or browsers. For more information on Chase's suggestions for OAuth flows, visit the Chase Developer website.

OAuth URLs cannot be launched within insecure containers because they allow the mobile application or desktop app to intercept customer input and thus intercept customer credentials. If a user is on one of these containers, the OAuth flow will be blocked during the redirect. To reduce this risk, do not open the OAuth window in a WebView. Instead, load the OAuth URI in the device's default browser.

We've provided known and unknown supported methods:

Supported MethodsKnown Unsupported Methods
  • WKWebView
  • UIWebView
  • Android
  • WebView
info

Supported and unsupported containers may change as technology changes. The technology used to launch the OAuth flow must now have the ability to capture credentials.

Testing OAuth Flows

If you want to test a realistic OAuth flow, we recommend using our MXCU (OAuth) test institution. See Testing with MXCU for more information.

This test institution behaves just like any other OAuth institution, but doesn't require registration. Our OAuth guide only uses this test institution.

Workflows

Standard aggregation (of account an transaction data) will start after a successful OAuth connection. This can be disabled with the skip_aggregation parameter when creating a member.