OAuth 2.0

Islamic Open Finance™ supports OAuth 2.0 for user-delegated access to the API.

Supported Flows

Flow	Use Case
Authorization Code	Web applications
Authorization Code + PKCE	Mobile/SPA applications
Client Credentials	Machine-to-machine
Device Authorization	Limited input devices

Authorization Code Flow

Step 1: Redirect to Authorization

https://auth.islamicopenfinance.com/oauth2/authorize?
  response_type=code&
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  scope=contracts:read contracts:write&
  state=random_state_value

Step 2: Exchange Code for Token

curl -X POST https://api.islamicopenfinance.com/oauth2/token \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "redirect_uri=https://yourapp.com/callback"

Response:

{
  "access_token": "iof_at_...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "iof_rt_...",
  "scope": "contracts:read contracts:write"
}

Step 3: Use Access Token

curl https://api.islamicopenfinance.com/api/v1/contracts \
  -H "Authorization: Bearer iof_at_..."

PKCE Flow

For public clients (mobile apps, SPAs):

// Generate code verifier and challenge
const codeVerifier = generateRandomString(64);
const codeChallenge = base64url(sha256(codeVerifier));

// Include in authorization request
const authUrl = `https://auth.islamicopenfinance.com/oauth2/authorize?
  response_type=code&
  client_id=${clientId}&
  redirect_uri=${redirectUri}&
  scope=contracts:read&
  code_challenge=${codeChallenge}&
  code_challenge_method=S256`;

Scopes

Scope	Access
`openid`	OpenID Connect identity
`profile`	User profile information
`contracts:read`	Read contracts
`contracts:write`	Manage contracts
`offline_access`	Refresh tokens

Next Steps

Webhooks Security - Verify webhook signatures
API Reference - Available endpoints