API Authentication

Bixi API endpoints require all requests to be authenticated and authorized by a secure API token in order to process transactions. An API token allows third-party services to authenticate with a Bixi account on your application’s behalf.

Starting from version 3.0 of Bixi API, tokens are no longer generated through an API request. Instead, API tokens can only be created manually by login into the client dashboard and navigating to the logged-in user’s API tokens screen.

Developers can create as many API tokens as possible for a given user account and set permissions for each token, for example, view permissions for tokens planned for pulling financial statement records or the information of a single transaction or create permissions for tokens intended to send or receive payments.

Available API token permissions

• View Transaction(s): The token can only view one or more transactions created by the organization account.
• View Statements: The token can pull financial statements for the organization account.
• Send Transaction(s): The token can only send transactions.
• Request Transaction(s): The token can only request transactions.

One token can enable all four permissions, but this is not recommended practice. Instead, developers are advised to create a token for transaction operations and another for accounting performance.

Security

Once a token is created, it is hashed using the SHA-256 cryptographic hashing algorithm before being securely stored, which means its plaintext original string can not be retrieved again. Therefore, it is highly recommended that the developer store the API token securely, for example, in an encrypted .env file or a configuration file that is not committed to a version control system.

Revoking Tokens

Bixi’s API tokens do not expire, but the developer can revoke them anytime by logging into the client dashboard and clicking the revoke button. Once revoked, all active request implementations using this token will be invalidated and rejected.