Authentication#

LoanStreet uses the OpenID Connect (OIDC) Protocol and OAuth 2.0 Authorization Framework to authenticate accounts and get their authorization to access the protected LoanStreet API. Access to the LoanStreet API is granted through a request for a valid JSON web token (JWT). This process authorizes the account with LoanStreet.

Now that the account is confirmed, they can request information from the LoanStreet API by sending the JWT as the Bearer Token. Encoded within the JWT are permissions to specific areas of the application, which the API uses to authorize the request. If the token is expired, from an unrecognized site, or tampered with, the API request will be forbidden.

Account types#

LoanStreet supports two types of accounts:

Service Accounts

Are intended for system-to-system integrations. Tokens can be received by using a client_secret provided by LonStreet. The client_secret does not expire and should be tightly secured within a company’s infrastructure. If the client_secret is suspected to be compromised, a new client_secret will be provided upon request.

Account

Are intended for a single person. Authentication is highly secure with MFA (Multi-Factor Authentication) enabled and a short token expiration.

Obtaining JWT Token#

LoanStreet uses a client id method of authentication for each type of account, meaning that a client id and a password or key must be provided to be authenticated. - For accounts, this is your email account and password. - For service accounts, this is your client_id and your client_secret.

Warning

Keep your secret a secret!

Make sure your client_id and client_secret aren’t available in publicly accessible areas, such as GitHub or client-side code.

POST /oauth/token#
Request Headers:
Request JSON Object:

  • email (string) – Your email account.

  • password (string) – You account password.

Response Headers:
Status Codes:

Example Request:

POST /oauth/token HTTP/1.1
Host: api-dev.loan-street.com
Accept: gzip, deflate, br

{
   "email":"[YOUR EMAIL ACCOUNT]",
   "password":"[YOUR ACCOUNT PASSWORD]"
}

Account Example Response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1qWkVSamhCTjBFM09VSXhNVFk0T1RnNU5VSkZNe
kl4TXpBd01FSTJOVGd4TTBZek9VRkROQSJ9.eyJodHRwczovL2FwaS5sb2FuLXN0cmVldC5jb20vcm9sZXMiO
lsiRVhURVJOQUwgQVBJIEFETUlOIiwiTE9BTlNUX1NVUEVSX1VTRVIiLCJMT0FOU1RfU1VQUE9SVCJdLCJodH
RwczovL2FwaS5sb2FuLXN0cmVldC5jb20vaW5zdGl0dXRpb25faWQiOiIyYjI1OWNiOC1jZmE0LTQ1MGMtYjE
1YS0xYzZmOTMyZTRjYzYiLCJpc3MiOiJodHRwczovL2F1dGgtZGV2LmxvYW4tc3RyZWV0LmNvbS8iLCJzdWIi
OiJhdXRoMHw2MGU3MGQyMTY2O

Service Account Example Response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: text/javascript

{
   "access_token": "
   eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik1qWkVSamhCTjBFM09VSXhNVFk0T1RnNU5VSk
   ZNekl4TXpBd01FSTJOVGd4TTBZek9VRkROQSJ9.eyJodHRwczovL2FwaS5sb2FuLXN0cmVldC5jb20vaW5
   zdGl0dXRpb25faWQiOiIyYjI1OWNiOC1jZmE0LTQ1MGMtYjE1YS0xYzZmOTMyZTRjYzYiLCJpc3MiOiJod
   HRwczovL2F1dGgtZGV2LmxvYW4tc3RyZWV0LmNvbS8iLCJzdWIiOiIwYWI2UDZTRm5Xb0FQZVRrdDNFYzB
   RWndKRUN",
   "scope": "https://api.loan-street.com/auth/cls-deal.view
   https://api.loan-street.com/auth/external-api.fullcontrol",
   "expires_in": 86400,
   "token_type": "Bearer"
}

Note

Your token will expire after 24 hours.

After 24 hours, you will receive a 403 Forbidden response and will need to obtain a new JWT.

Calling the LoanStreet API#

Once a JWT has been obtained, it can be used to request data from the LoanStreet API. It must be passed as part of the LoanStreet API request in order to authenticate the user/account requesting LoanStreet data.

The token should be passed as part of an HTTP Authorization header when calling the LoanStreet API, using the “Bearer token” scheme (see: Authentication schemes <https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes>.)

Example Request

GET /api/latest/cls/balances/principal HTTP/1.1
Host: api-dev.loan-street.com
Accept: gzip, deflate, br
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6...