Skip to content

Commit 96703be

Browse files
authored
feat: devex (#160)
* chore: update text with app types * chore: improve client credential docs and refactor getting started
1 parent f01f01c commit 96703be

3 files changed

Lines changed: 248 additions & 47 deletions

File tree

apps/customer/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"version": "0.7.4",
44
"private": true,
55
"scripts": {
6-
"dev": "next dev --turbo",
6+
"dev": "next dev --turbo -p 5000",
77
"build": "next build",
88
"start": "next start",
99
"lint": "next lint --fix",

apps/developer/docs/authorization.mdx

Lines changed: 128 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -125,29 +125,148 @@ Further reading:
125125

126126
## Client credentials authorization
127127

128-
> Note: client credentials are used to authenticate the application itself, not a user. This is useful when you want to access your own data. While you can access user data with client credentials, it is not recommended. Instead, use the authorization code flow to authenticate users.
128+
The Client Credentials flow is used for server-to-server authentication where your application acts on its own behalf, not on behalf of a specific user. This is the authentication method for both **Personal** and **White-label** app types.
129129

130-
Confidential clients which can hide their credentials, e.g. backend servers, can be enlisted in Monerium's partner program, which enables them simultaneous access to multiple profiles which have granted authorization. These clients can get an access_token by submitting a POST or GET request to `/auth/token`:
130+
### When to Use Client Credentials
131131

132-
```
133-
curl --location --request POST 'http://api.monerium.app/auth/token' \
132+
- **Personal apps**: Your application performs automated actions on your own Monerium account (e.g., backend scripts, scheduled jobs, internal tooling)
133+
- **White-label apps**: Your platform manages users and their payment accounts directly, with Monerium fully abstracted from end users
134+
135+
:::warning Security Requirements
136+
Client credentials (`client_secret`) must be stored securely and never exposed in client-side code. Only use this flow in environments where you can securely store secrets, such as backend servers.
137+
:::
138+
139+
### Authentication Flow
140+
141+
The client credentials flow is simpler than OAuth, involving just two steps:
142+
143+
1. **Request Access Token** - Exchange your credentials for an access token
144+
2. **Use Access Token** - Make API calls with the token
145+
146+
### Step 1: Request an Access Token
147+
148+
Submit a POST request to `/auth/token` with your `client_id` and `client_secret`:
149+
150+
```sh
151+
curl --location --request POST 'https://api.monerium.dev/auth/token' \
134152
--header 'Content-Type: application/x-www-form-urlencoded' \
135153
--data-urlencode 'client_id=1234567890abcdef' \
136154
--data-urlencode 'client_secret=27b871f28ab834b6be75c21578b4c944527fe34fce3952dc59f9c928b8502ee8' \
137155
--data-urlencode 'grant_type=client_credentials'
138156
```
139157

140-
Response:
158+
**Successful Response:**
141159

160+
```json
161+
{
162+
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
163+
"token_type": "Bearer",
164+
"expires_in": 3600,
165+
"refresh_token": "your-refresh-token"
166+
}
142167
```
168+
169+
| Field | Description |
170+
|-------|-------------|
171+
| `access_token` | The token to use for API requests |
172+
| `token_type` | Always "Bearer" |
173+
| `expires_in` | Token lifetime in seconds (typically 3600 = 1 hour) |
174+
| `refresh_token` | Token to request a new access token when it expires |
175+
176+
**Error Response:**
177+
178+
```json
143179
{
144-
access_token: "your-access-token",
145-
expires_in: 3600,
146-
refresh_token: "your-refresh-token",
147-
token_type: "Bearer"
180+
"error": "invalid_client",
181+
"error_description": "Client authentication failed"
148182
}
149183
```
150184

185+
| Error Code | Description |
186+
|------------|-------------|
187+
| `invalid_client` | Invalid `client_id` or `client_secret` |
188+
| `invalid_request` | Missing required parameters |
189+
| `unauthorized_client` | Client not authorized to use this grant type |
190+
191+
### Step 2: Use the Access Token
192+
193+
Include the access token in the `Authorization` header for all API requests:
194+
195+
```sh
196+
curl --location 'https://api.monerium.dev/profiles' \
197+
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...'
198+
```
199+
200+
### Refreshing the Access Token
201+
202+
When your access token expires, use the refresh token to obtain a new one without re-authenticating:
203+
204+
```sh
205+
curl --location --request POST 'https://api.monerium.dev/auth/token' \
206+
--header 'Content-Type: application/x-www-form-urlencoded' \
207+
--data-urlencode 'grant_type=refresh_token' \
208+
--data-urlencode 'refresh_token=your-refresh-token' \
209+
--data-urlencode 'client_id=1234567890abcdef' \
210+
--data-urlencode 'client_secret=27b871f28ab834b6be75c21578b4c944527fe34fce3952dc59f9c928b8502ee8'
211+
```
212+
213+
The response will contain a new `access_token` and `refresh_token`.
214+
215+
### Security Best Practices
216+
217+
:::danger Keep Your Secrets Safe
218+
- **Never commit** `client_secret` to version control
219+
- **Store securely** using environment variables or secret management services (e.g., AWS Secrets Manager, HashiCorp Vault)
220+
- **Rotate regularly** - Generate new credentials periodically
221+
- **Use HTTPS only** - Never send credentials over unencrypted connections
222+
- **Monitor usage** - Watch for unusual API activity that might indicate compromised credentials
223+
:::
224+
225+
### Complete Example
226+
227+
Here's a complete Node.js example:
228+
229+
```javascript
230+
// Store credentials in environment variables
231+
const CLIENT_ID = process.env.MONERIUM_CLIENT_ID;
232+
const CLIENT_SECRET = process.env.MONERIUM_CLIENT_SECRET;
233+
234+
async function getAccessToken() {
235+
const params = new URLSearchParams({
236+
grant_type: 'client_credentials',
237+
client_id: CLIENT_ID,
238+
client_secret: CLIENT_SECRET
239+
});
240+
241+
const response = await fetch('https://api.monerium.dev/auth/token', {
242+
method: 'POST',
243+
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
244+
body: params
245+
});
246+
247+
if (!response.ok) {
248+
const error = await response.json();
249+
throw new Error(`Authentication failed: ${error.error_description}`);
250+
}
251+
252+
const { access_token, expires_in, refresh_token } = await response.json();
253+
return { access_token, expires_in, refresh_token };
254+
}
255+
256+
async function makeApiRequest(accessToken) {
257+
const response = await fetch('https://api.monerium.dev/profiles', {
258+
headers: { 'Authorization': `Bearer ${accessToken}` }
259+
});
260+
261+
return response.json();
262+
}
263+
264+
// Usage
265+
const { access_token } = await getAccessToken();
266+
const profiles = await makeApiRequest(access_token);
267+
console.log(profiles);
268+
```
269+
151270
Endpoint documentation: [Access Token](docs/api#tag/auth/operation/auth-token)
152271

153272
Further reading:

apps/developer/docs/getting-started.mdx

Lines changed: 119 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -3,68 +3,150 @@ title: Getting Started
33
id: getting-started
44
---
55

6-
# Monerium developer documentation
6+
# Getting Started
77

8-
## Introduction
8+
Welcome to Monerium! This guide will help you integrate the Monerium API to offer your users IBANs directly connected to their blockchain addresses. Enable seamless money transfers between bank accounts and blockchains over the SEPA network.
99

10-
This guide will help you get started with the Monerium API to offer your users IBAN's directly connected to their blockchain address. This enables a seamless experience to collect and send money between bank accounts and blockchains over the SEPA network.
10+
## Overview
1111

12-
## Getting Started
12+
Before you begin, determine which integration type fits your needs:
1313

14-
### Sign Up
14+
:::tip Choose Your Integration Type
1515

16-
To get started, head over to our [Sandbox](https://sandbox.monerium.dev) and sign up.
16+
**Building a user-facing app?**[OAuth](#oauth) - Users authenticate with their Monerium accounts
1717

18-
### Creating an App
18+
**Automating your own account?**[Personal](#personal) - Run scripts and backend jobs on your account
1919

20-
Once signed up, head over the [developer portal](https://sandbox.monerium.dev/developers) and create an app.
20+
**Managing accounts for your users?**[White-label](#white-label) - Full platform control, Monerium abstracted away
2121

22-
### Obtaining Credentials
22+
:::
2323

24-
After creating an app, you will receive two distinct sets of credentials, each tailored for specific use cases. Below is a breakdown of these credentials and guidance on how to use them effectively.
24+
---
25+
26+
## Setup
27+
28+
### 1. Create Your Account
29+
30+
Head over to our [Sandbox](https://sandbox.monerium.dev) and sign up for a developer account.
31+
32+
### 2. Create an App
33+
34+
Once signed up, go to the [developer portal](https://sandbox.monerium.dev/developers) and create a new app. You'll need to select an app type based on your use case.
35+
36+
---
37+
38+
## App Types
39+
40+
Choose the authentication flow that matches your integration needs:
41+
42+
### 🔐 OAuth (User-facing Apps) {#oauth}
43+
44+
**Authentication:** [Authorization Code Flow with PKCE (Proof Key for Code Exchange)](#auth-flow)
45+
46+
**How it works:** Your app acts on behalf of Monerium users with their explicit consent. Users sign in with their Monerium credentials and grant your app permission to access their accounts.
47+
48+
**Credentials you'll receive:**
49+
- `client_id` - Unique identifier for OAuth flows
50+
51+
**Best for:**
52+
- Web applications
53+
- Mobile apps
54+
- Any app where users authenticate and control their own data
55+
56+
**Pricing:** Free
57+
58+
**Next steps:** [OAuth Implementation Guide →](./authorization)
59+
60+
---
61+
62+
### 🤖 Personal (Own Account) {#personal}
2563

26-
### Types of Credentials
64+
**Authentication:** [Client Credentials Flow](#client-credentials)
2765

28-
1. **Authorization Code Flow Credentials**
66+
**How it works:** Your app performs automated actions directly on your own Monerium account, such as processing payments or checking balances.
2967

30-
- `client_id`: A unique identifier for user authentication flows.
31-
- **Use Case:** Designed for secure client-side applications, paired with PKCE (Proof Key for Code Exchange) to enhance security.
32-
- **Ideal For:** User-facing applications such as web apps or mobile apps.
68+
**Credentials you'll receive:**
69+
- `client_id` - Unique identifier
70+
- `client_secret` - Secret key for authentication (keep secure!)
3371

34-
2. **Client Credentials**
35-
- `client_id` and `client_secret`: A pair of credentials used for server-to-server authentication.
36-
- **Use Case:** Server-to-server authentication.
37-
- **Ideal For:** Backend services and API integrations, where user interaction is not required.
72+
**Best for:**
73+
- Backend scripts
74+
- Scheduled jobs
75+
- Internal tooling and automation
3876

39-
### Implementing Authorization Code Flow
77+
**Pricing:** Free
4078

41-
1. Redirect users to the authorization flow.
42-
2. Handle the returned authorization code.
43-
3. Exchange the code for an access token.
79+
**Next steps:** [Client Credentials Guide →](./authorization#client-credentials-authorization)
4480

45-
[In-depth guide](./authorization)
81+
---
82+
83+
### 🏢 White-label (Managed Users) {#white-label}
84+
85+
**Authentication:** [Client Credentials Flow](#client-credentials)
86+
87+
**How it works:** Your platform manages users and their payment accounts directly. Monerium is fully abstracted away from your end users—they never see or interact with Monerium.
88+
89+
**Credentials you'll receive:**
90+
- `client_id` - Unique identifier
91+
- `client_secret` - Secret key for authentication (keep secure!)
92+
93+
**Best for:**
94+
- Payment platforms
95+
- Fintech applications
96+
- Services requiring full control over user payment flows
97+
98+
**Pricing:** €5,000/month
99+
100+
:::info Enterprise Solution
101+
This is an enterprise solution for platforms that want to offer IBAN accounts under their own brand. Contact us to discuss your requirements.
102+
:::
103+
104+
**Next steps:** [Client Credentials Guide →](./authorization#client-credentials-authorization)
105+
106+
---
107+
108+
## Implementation Guides
109+
110+
### OAuth - Authorization Code Flow with PKCE (Proof Key for Code Exchange) {#auth-flow}
111+
112+
For user-facing applications using OAuth with PKCE:
113+
114+
1. Redirect users to the Monerium authorization endpoint
115+
2. Handle the returned authorization code
116+
3. Exchange the code for an access token
117+
4. Use the access token to make API calls
46118

47-
### Using Client Credentials
119+
**[📖 Read the OAuth guide →](./authorization)**
48120

49-
For server-side authentication, follow these steps:
121+
### Client Credentials {#client-credentials}
50122

51-
1. Use the `client_id` and `client_secret` to authenticate your application.
52-
2. Request an access token directly from the authorization server.
123+
For server-to-server authentication (Personal and White-label):
53124

54-
[In-depth guide](./authorization#client-credentials-authorization)
125+
1. Securely store your `client_id` and `client_secret`
126+
2. Request an access token from the authorization server
127+
3. Use the access token to make API calls
55128

56-
### Key Concepts and References
129+
**[📖 Read the Client Credentials guide →](./authorization#client-credentials-authorization)**
57130

58-
- OAuth 2.0: The foundational framework for authorization. [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749).
131+
---
132+
133+
## Additional Resources
134+
135+
### Key OAuth Concepts
59136

60-
- PKCE (Proof Key for Code Exchange): A security enhancement for public clients. [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636)
137+
- **OAuth 2.0** - The foundational framework for authorization. [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)
138+
- **PKCE** - Security enhancement for public clients. [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636)
139+
- **Client Credentials Grant** - Server-to-server authentication flow. [RFC 6749 §4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
140+
- **Bearer Authentication** - Method for transmitting access tokens. [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)
61141

62-
- Bearer Authentication: A method for transmitting access tokens. [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)
142+
### API Documentation
63143

64-
## Next steps.
144+
Explore the complete API reference:
65145

66-
Head over to the [API Documentation](./docs/api) to get started with the Monerium API.
146+
**[📖 View API Documentation →](./docs/api)**
147+
148+
---
67149

68-
## Need help?
150+
## Need Help?
69151

70-
We have a [Discord server](https://monerium.com/invite/discord) where you can get help from the community and the Monerium team.
152+
Join our [Discord server](https://monerium.com/invite/discord) to get help from the community and the Monerium team.

0 commit comments

Comments
 (0)