/
5 minute read
November 30, 2022

Authentication

Marqeta’s Core API enforces HTTP Basic Authentication on incoming requests. This mechanism utilizes the standard Authorization field in the header for holding the credentials.

Authentication types

All requests must provide the application token as the username. This token identifies the application that sent the request. The password can be either unspecified, an admin access token, a user access token, or a single-use access token. Depending on the password value provided, the Marqeta platform assigns one of four authentication types to the request. Each authentication type corresponds to an authorization level that controls the request’s access to API endpoints and data.

The following table summarizes the Marqeta platform authentication types and their corresponding authorization levels.

Authentication Type and Authorization Level Application Token Required as Username Admin Access Token Required as Password User Access Token Required as Password Single-Use Access Token Required as Password

Unauthenticated

Authorizes access to public API endpoints and data.

Admin

Authorizes access to all API endpoints and data associated with the program.

User

Authorizes access to all API endpoints and data associated with the user.

User single-use

Authorizes a single request with access to all API endpoints and data associated with the user.

Client access

Displays a virtual card’s sensitive data.

Obtaining tokens

Marqeta distributes application tokens and admin access tokens directly to customers. These tokens are static, meaning that you can reuse them indefinitely.

User access tokens and single-use access tokens are dynamically allocated by the Core API:

  • A POST request to the /users/auth/login endpoint returns a user access token that is valid until the user is logged out or times out.

  • A POST request to the /users/auth/onetime endpoint returns a single-use access token for a specified user that is valid for a single request.

  • A POST request to the /users/auth/clientaccesstoken endpoint returns an access token for a specified card that is valid for a single request.

See the Log in user, Create single-use token, and Create client access token sections of the Users API reference page for more information about these endpoints.

Expiration and throttling

Application tokens and admin access tokens never expire. User access tokens and user single-access tokens expire after 120 minutes. Client access token expire after 5 minutes.

Requesting a user access, user single-access, or a client access token using incorrect credentials returns an HTTP 401 status code. A throttling mechanism limits token requests to three within any 60 consecutive seconds. Throttled token requests also return an HTTP 401 status code.

cURL example

This example illustrates a call (in cURL format) to retrieve account balances for a user. The user’s ID token is bigbird_token. The user’s current user access token is user_access_token. The application token is application_token.

cURL
Copied

Is this helpful?

Yes
No

Subscribe to our developer newsletter