Authentication — Kard API

Kard API

The Kard API supports authentication via OAuth2.0’s client credentials. Issuer client will be provided client_id and client_secret by Kard.

Issuer client sends a POST request with the following headers to the Cognito URL below to retrieve the access_token. See sample request:

$ curl -X POST https://rewards-api.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials
>      -H "Content-Type: application/x-www-form-urlencoded"
>      -H "Authorization: {base64 encoded copy of "client_id:client_secret"}"

See the GET a Session Token for more details.

The returned access token must be used in the Authorization header as a bearer token in subsequent requests.

Kard’s Earned Rewards Webhook

For the earned rewards webhook, Kard will be posting outbound to a URL provided by the issuer client. This webhook is validated via HMAC signature.

An issuer client will be provided with a webhook key that is used to generate an HMAC of the webhook body. The HMAC is calculated by Kard and will be sent in the notify-signature header. Note that header request attributes are processed as case-insensitive.

To validate, the issuer client should generate the HMAC with the provided key, body and SHA-256 hashing algorithm and compare against the HMAC provided in the header.

See the HMAC Signature Verification sub-section under the Transaction CLO Matching section for more details on ingesting an earned rewards webhook.

$	curl -X POST https://rewards-api.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials
>	-H "Content-Type: application/x-www-form-urlencoded"
>	-H "Authorization: {base64 encoded copy of "client_id:client_secret"}"