Authentication Method

We use the OAuth 2.0 authentication method, an industry standard for authorization, to ensure the security and integrity of user and system identification. This method involves generating tokens that allow secure access to our servers, software, and APIs. Authentication through OAuth 2.0 helps prevent cyber fraud and the leakage of sensitive information by utilizing public key encryption to validate identities.
1

Creating Public and Private Keys

Before receiving the credential, it is necessary to generate a key pair: one private key and one public key. The private key will be used to sign the token, while the public key should be sent to us to validate the token’s signature.First, generate the private key using the command below via terminal:
openssl genrsa -out private.pem 2048
Then, generate the public key through the terminal:
openssl rsa -in private.pem -pubout > public.pem
Keep the private key in a secure location and never share it.
2

Requesting the Public Key

We will ask for your email to open a request regarding the submission of the public key. After this, you will receive a message from notifications@heflo.com with instructions for sending the key.
Send only your public key for validation to our team by responding to the HEFLO request email, without copying other people for security reasons. If other people are copied, this will invalidate the receipt of the public key.
3

Receiving the client_id

After validating your public key, our team will generate and send your client_id, which will be used for authentication in the system.
4

Generating the JWT

Generate a TOKEN following the RS256 standard, containing crucial information such as unique identifier, issuance time, and expiration time.
const tokenHeader = {
  alg: "RS256", // 'alg': Algorithm used to sign the token (RS256 - RSA with SHA-256).
  typ: "JWT"    // 'typ': Type of token, in this case, JWT.
};

const tokenPayload = {
  jti: "5e8e07e3-d3f0-4881-a644-0895f4949e9b", // 'jti': Unique ID of the token.
  sub: "client_id", // 'sub': Identifier of the client (fill with the client_id sent by our team).
  iat: 1573648398, // 'iat': Date and time the token was issued (UNIX timestamp in seconds).
  nbf: 1573648398, // 'nbf': Date and time before which the token must not be accepted (UNIX timestamp).
  exp: 1573648458, // 'exp': Expiration date of the token (UNIX timestamp).
  iss: "client_id", // 'iss': Issuer of the token (fill with the client_id sent by our team).
  aud: "https://auth.moneyp.dev.br/connect/token" // 'aud': Recipient of the token (checks if the token is sent to the correct server).
};
5

Bearer Token Generation Endpoint

To generate a TOKEN using the OAuth 2.0 method, the client must send a POST request with the Content-Type Header as “application/x-www-form-urlencoded.” Below is the CURL command for the endpoint used to generate the token:
curl --location 'https://auth.moneyp.dev.br/connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Cache-Control: no-cache' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=client_id' \
  --data-urlencode 'scope=<< SCOPES>>' \ // Replace << SCOPES>> with the scopes of the endpoints that will be released for using this token
  --data-urlencode 'client_assertion="<< Token JWT >>"' \ // JWT generated in the previous step.
  --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
The field in the curl command above 'scope=<< SCOPES>>' accepts up to 300 characters, and each scope should be separated by a space.
After authentication, the obtained access token must be used in all subsequent requests in the authorization header.
const headers = {
  Authorization: `Bearer <<Access token>>`
};
Our Bearer Token, once generated, has a validity of 1 hour. After this period, it will be necessary to generate a new token to ensure the continuity of the session in an active and secure manner.