Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.finventi.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The RRC API uses OAuth 2.0 for authentication. To access the API, you need to obtain a bearer token from the authorization server and include it in all API requests.
IP Whitelisting Required: Before you can access the API, your IP address must be whitelisted. Contact us to register your IP addresses.

Obtaining a Bearer Token

To authenticate with the API, you need to obtain a bearer token using the OAuth 2.0 client credentials flow.

Token Request

Use the following cURL command to obtain a bearer token: 
curl -X POST \
  --location 'https://auth.sandbox.finventi.com/realms/sti-connector/protocol/openid-connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=<your-client-id>' \
  --data-urlencode 'client_secret=<your-client-secret>'

Parameters

grant_type
string
required
Must be set to client_credentials
client_id
string
required
Your client ID provided during onboarding
client_secret
string
required
Your client secret provided during onboarding

Variables to Replace

  • <your-client-id>: Your client ID provided during onboarding
  • <your-client-secret>: Your client secret provided during onboarding

Token Response

A successful response will include your access token: 
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6IC...",
  "expires_in": 2700,
  "refresh_expires_in": 0,
  "token_type": "Bearer",
  "not-before-policy": 0,
  "scope": "profile email"
}
The bearer token is valid for 45 minutes. After expiration, you’ll need to request a new token.

Using the Bearer Token

Include the bearer token in the Authorization header of all API requests with the Bearer prefix.

Authorization Header Format

Authorization: Bearer <bearer-token>

Best Practices

Token Management

  • Cache tokens until they expire
  • Implement token refresh logic before expiration
  • Never expose tokens in client-side code

Security

  • Store client secrets securely
  • Use environment variables for credentials
  • Rotate client secrets regularly

Common Issues

Invalid Client Credentials

If you receive an authentication error, verify:
  • Your client secret is correct and hasn’t been rotated
  • Your IP address is whitelisted

Expired Token

If you receive a 401 Unauthorized error:
  • Check if 45 minutes have passed since token generation
  • Request a new bearer token
  • Update your application’s token cache

Next Steps

Once authenticated, you can access RRC services:
Last modified on May 7, 2026