Authentication
Authentication
Section titled “Authentication”All API requests require authentication using an API key or OAuth 2.0 token.
API Key Authentication
Section titled “API Key Authentication”Include your API key in the Authorization header:
curl https://api.islamicopenfinance.com/api/v1/contracts \ -H "Authorization: Bearer iof_sk_live_abc123..."Key Types
Section titled “Key Types”| Type | Prefix | Environment |
|---|---|---|
| Live Secret | iof_sk_live_ | Production |
| Test Secret | iof_sk_test_ | Sandbox |
| Publishable | iof_pk_ | Client-side |
Creating Keys
Section titled “Creating Keys”Via the dashboard or API:
const key = await iof.apiKeys.create({ name: "Production Server", permissions: ["contracts:*", "kyc:read"],});OAuth 2.0
Section titled “OAuth 2.0”For user-delegated access:
curl https://api.islamicopenfinance.com/api/v1/contracts \ -H "Authorization: Bearer iof_at_abc123..."See OAuth 2.0 Guide for implementation details.
Scopes
Section titled “Scopes”| Scope | Access |
|---|---|
contracts:read | Read contracts |
contracts:write | Create/update contracts |
contracts:* | Full contract access |
kyc:read | Read KYC data |
kyc:write | Submit verifications |
billing:read | View billing |
admin:* | Full admin access |
Error Responses
Section titled “Error Responses”401 Unauthorized
Section titled “401 Unauthorized”{ "error": { "code": "UNAUTHORIZED", "message": "Invalid or missing API key" }}403 Forbidden
Section titled “403 Forbidden”{ "error": { "code": "FORBIDDEN", "message": "API key lacks required permissions" }}Security Best Practices
Section titled “Security Best Practices”- Never expose secret keys in client-side code
- Use environment variables for credentials
- Rotate keys regularly (90 days recommended)
- Use minimum required scopes
- Monitor key usage for anomalies
Next Steps
Section titled “Next Steps”- API Keys Guide - Key management
- Errors Reference - Error codes