Security Overview

chevron-down-icon chevron-up-icon

To provide a secure environment across all Apex NZ’s systems and services, the user accessing the system first needs to authenticate themselves via a username and password combination.

We use the OpenID Connect / OAuth 2 protocol and host (via the API) a series webpages that manage login and user creation process (including password reset and email workflows).

OpenID Connect Flow

chevron-down-icon chevron-up-icon

Contact Apex NZ to register your application

Use the supported flow below to obtain an access token which can be used to interact with the Apex NZ Wealth Administration API.

You will receive a client_id to represent your application. This is an alphanumeric string consisting only of characters which do not need to be url encoded.

You will receive a client_secret. This is an alphanumeric string which you must keep confidential. We will enforce use of the client _secret in token exchanges.

Example API urls will begin with https://exampleapi.mmcnz.co.nz. Please replace this with the API url you are given.

Full Access Token

chevron-down-icon chevron-up-icon

Use the Client Credentials flow to obtain an full access token which can be used to interact with the Apex NZ Registry API.

Important: You must request this level of access specifically; It is not enabled unless requested.

1. Using the Client Credentials flow

We recommend the use of this OAuth2 flow for server-based machine to machine integrations. While the name may appear confusing at first, the name client refers to the OAuth 2 client, which is to say, your application. This flow must not be used directly from a browser or desktop-based application as it is too difficult to protect the client secret.

For the official specification please refer to: https://tools.ietf.org/html/rfc6749#section-4.4.

1.1 Client issues token request

The client application makes a request using HTTP POST to the token endpoint https://exampleapi.mmcnz.co.nz/connect/token providing the following form (application/x-www-form-urlencoded) parameters:

  • client_id = your client_id
  • client_secret = your client_secret
  • grant_type = "client_credentials"

A successful exchange response is a json document. The example below omits some keys you will observe in a real response, but these can be ignored.

{
token_type: Bearer
access_token: 'access token string'
expires_in: integer
}

The access_token can be used to access the API. The access token will consist only of characters which are valid in a base-64 encoded string, but is not valid base-64, and should not be decoded or otherwise transformed.

expires_in is an integer number of seconds, after which time the access token will expire.

Using an access token to authenticate with the API

You can include the Bearer token with a request by including an Authorization header with your request:

  • Authorization: Bearer 'access token string'