API Keys
API Keys
Section titled “API Keys”API keys provide server-to-server authentication for the Islamic Open Finance™ API.
Key Types
Section titled “Key Types”| Type | Prefix | Usage |
|---|---|---|
| Secret Key | iof_sk_ | Server-side only |
| Publishable Key | iof_pk_ | Client-side (limited access) |
| Test Key | iof_sk_test_ | Sandbox environment |
Creating API Keys
Section titled “Creating API Keys”Via Dashboard
Section titled “Via Dashboard”- Navigate to Settings → API Keys
- Click Create New Key
- Select permissions and scopes
- Copy and securely store the key
Via API
Section titled “Via API”const apiKey = await iof.apiKeys.create({ name: "Production Server", permissions: ["contracts:read", "contracts:write"], expiresAt: new Date("2025-12-31"),});
console.log(apiKey.secretKey); // iof_sk_live_...Using API Keys
Section titled “Using API Keys”Include the key in the Authorization header:
curl https://api.islamicopenfinance.com/api/v1/contracts \ -H "Authorization: Bearer iof_sk_live_abc123..."Or with the SDK:
import { IslamicOpenFinance } from "@iof/sdk";
const iof = new IslamicOpenFinance({ apiKey: process.env.IOF_API_KEY,});Key Permissions
Section titled “Key Permissions”| Scope | Description |
|---|---|
contracts:read | Read contract data |
contracts:write | Create/update contracts |
kyc:read | Read KYC data |
kyc:write | Submit KYC verifications |
billing:read | View billing information |
admin:* | Full administrative access |
Security
Section titled “Security”- Keys are only shown once at creation
- Rotate keys regularly (recommended: every 90 days)
- Use different keys for different environments
- Monitor key usage in the dashboard
JWT Tokens {#jwt}
Section titled “JWT Tokens {#jwt}”For session-based authentication, Islamic Open Finance™ supports JWT (JSON Web Tokens).
JWT Structure
Section titled “JWT Structure”Header.Payload.SignatureObtaining a JWT
Section titled “Obtaining a JWT”curl -X POST https://api.islamicopenfinance.com/api/v1/auth/token \ -H "Content-Type: application/json" \ -d '{ "apiKey": "iof_sk_live_abc123...", "scope": ["contracts:read", "contracts:write"] }'Response:
{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "tokenType": "Bearer", "expiresIn": 3600, "refreshToken": "iof_rt_..."}Using JWTs
Section titled “Using JWTs”curl https://api.islamicopenfinance.com/api/v1/contracts \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."JWT Best Practices
Section titled “JWT Best Practices”- Store tokens securely (never in localStorage for sensitive apps)
- Implement token refresh before expiry
- Use short-lived access tokens (1 hour recommended)
- Validate token claims on the server
Next Steps
Section titled “Next Steps”- OAuth 2.0 - User-delegated authentication
- API Reference - Start making API calls