The Kard API supports authentication via OAuth2.0’s client credentials. Issuer client will be provided
client_id and client_secret by Kard.
Use the new Kard Authentication API endpoint. Each client will have their own dedicated subdomain, which will be provided by Kard.
The API follows OAuth2.0 client credentials flow and requires:
{client_id}:{client_secret}application/x-www-form-urlencodedgrant_type=client_credentialsReplace {your-client-subdomain} with the subdomain provided by Kard for your organization.
The returned access token must be used in the Authorization header as a bearer token
in subsequent requests.
This feature is currently in Beta. If you are interested in using this feature, please contact your Kard representative.
If you manage multiple issuers on the Kard platform, you can scope your auth token to a specific issuer by including the X-Kard-Target-Issuer header in your token request. The response is identical to a standard authentication request, but the returned access token will be locked to the issuer specified in the header.
Example response:
Any subsequent API calls made with this token will be scoped to the specified issuer. If you need to interact with a different issuer, request a new token with the corresponding X-Kard-Target-Issuer value.
The API returns standard HTTP status codes:
Example Successful Response:
DEPRECATED: The direct Cognito authentication method is deprecated and will be discontinued soon. Please migrate to the new Authentication API v2 above.
GET Session Token request in root directoryhttps://test-rewards-api.auth.us-east-1.amazoncognito.com{clientHash}: base64 encoded copy of {client_id}:{client_secret}, provided in the postman_environment.json.Example response: