OAuth 2.0
Islamic Open Finance™ supports OAuth 2.0 for user-delegated access to the API.
Supported Flows
| Flow | Use Case |
|---|---|
| Authorization Code | Web applications |
| Authorization Code + PKCE | Mobile/SPA applications |
| Client Credentials | Machine-to-machine |
| Device Authorization | Limited input devices |
Authorization Code Flow
Step 1: Redirect to Authorization
https://auth.islamicopenfinance.com/oauth2/authorize?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=https://yourapp.com/callback&
scope=contracts:read contracts:write&
state=random_state_valueStep 2: Exchange Code for Token
bash
curl -X POST https://api.islamicopenfinance.com/oauth2/token \
-d "grant_type=authorization_code" \
-d "code=AUTH_CODE" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "redirect_uri=https://yourapp.com/callback"Response:
json
{
"access_token": "iof_at_...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "iof_rt_...",
"scope": "contracts:read contracts:write"
}Step 3: Use Access Token
bash
curl https://api.islamicopenfinance.com/v1/contracts \
-H "Authorization: Bearer iof_at_..."PKCE Flow
For public clients (mobile apps, SPAs):
typescript
// Generate code verifier and challenge
const codeVerifier = generateRandomString(64);
const codeChallenge = base64url(sha256(codeVerifier));
// Include in authorization request
const authUrl = `https://auth.islamicopenfinance.com/oauth2/authorize?
response_type=code&
client_id=${clientId}&
redirect_uri=${redirectUri}&
scope=contracts:read&
code_challenge=${codeChallenge}&
code_challenge_method=S256`;Scopes
| Scope | Access |
|---|---|
openid | OpenID Connect identity |
profile | User profile information |
contracts:read | Read contracts |
contracts:write | Manage contracts |
offline_access | Refresh tokens |
Next Steps
- Webhooks Security - Verify webhook signatures
- API Reference - Available endpoints