Authentication

Authentication Flow

When a user logs-in to dapi through Connect, a temporary RSA key pair is generated just for the log-in process. The public key is sent back to connect, which then encrypts the user bank credentials along with any other needed data and sends them to dapi.

Our servers then decrypt the received message and uses the user credentials to login to the bank. If the bank login is successful a unique user encryption key is generated for this user and used to encrypt his data and the temporary RSA key pair is deleted. The encrypted user information is then stored on our database.

An application specific public key is then used to encrypt the user encryption key itself. The encrypted user key is then returned back to connect to be stored on the users device, along with an exchange token.

dapi stores only encrypted user info, while the password to decrypt the user key, and the user key itself are stored with the client and user respectively. This means that to access user information, data from three different locations are required.

This novel setup provides our users with a three point system, where a user, client and dapi all have to be breached for one user information to be compromised.

post
Exchange Token

https://api.dapi.co/v1/auth/ExchangeToken
Exchange the accessCode for an accessToken.
Request
Response
Body Parameters
connectionID
required
string
Connection ID from Connect
appSecret
required
string
App Secret from the dashboard
accessCode
required
string
Access Code from Connect
200: OK
{
"success": true,
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOiJiMDA4OGViM2Q1Nzc0MDNhOGVhMjgxMzVkNjc1NWYxMDI4NmNlZTczMTcyNjZiM2Q0YzhhYjhlMmU2ZGRkZmJmYjNmMTcxNTY2MGViYTY0ZWRkYTk0ZTZiNjBmMzBiZTdmNjRkODJiMmViZmNhZmRjMGZiMDg2OTYzMTQ2ZDA3NmY3ZWUxNTE1YWRmM2FlMTEyYTBkNzhjN2IxODgxYmU1N2ExZjMwM2E0OGUxOTdiMmI2NGYzZTVlYjg3ZGY3MmRhNTc3OTIzY2Y4NTE1MmZmYzJmOTQ1OGNhZTYzODNmNWQ5YjFlMzY1MDQzNmE0NmE5MGRiNzY3Y2UwM2YxZjIxIiwiYXBwS2V5IjoiOWQ4ZDI2ZTNjNjFhZjRmZWM1NGI1MmU5MzgyNDM3YTM4MmM4NjA3NjhiZjFkZTJjYTRjMmI3OTZlZTMxNWM5MSIsImlhhCI6MTU2NzYwMTk5MiwiZXhwIjoxNTY3NjA1NTkyfQ.PugYsrjAC85d6DmjkhStDVNIjUPNcqtt3yTR6hnBRRa"
}
401: Unauthorized
{
"success": false,
"msg": "Invalid or expired exchange token"
}

Access Code

This code is generated when the user successfully logs into Connect.

Access Token

This token is used to run operations against an end-user. It's used in all dapi operations to retrieve data and initiate payments.