Authentication and Security

All requests to Vessel are authenticated by an API token and all requests must be made over https. When making any requests, ensure the following headers are provided.

vessel-api-tokenThe Vessel API token

Please contact to request an API token.

LinkToken/AccessToken Exchange

You can think about our product as a gated neighborhood with locked houses, where each house represents a user’s account. The apiToken allows you to enter the gated neighborhood and each house can be unlocked by its own unique accessToken. To interact with any accounts, you will use both the apiToken and accessToken.

The following process ensures your customers credentials are handled in a safe manner.

1Your server calls /link/token to get a linkToken. The linkToken is a temporary token used by the client to allow users to connect an account on the frontend.
2Pass the linkToken to the Vessel Link component. In the onSuccess handler, Link will return a temporary publicToken. The onSuccess handler is called after the customer successfully connects their account.
3Call /link/exchange with the publicToken and exchange it for a permanent accessToken.
4Store the accessToken in a secure location. You will use it with your apiToken to interact with the account.

For an example of how to execute this flow inside of your own application - please see the Getting Started Guide