INTEGRATION
TRANSACTION ASSURANCE
CHARGES
DISPUTES & FRAUD
Authentication
The Silverflow API requires authentication on all endpoints and methods. The API supports two distinct authentication schemes.
API Key
The primary method of authenticating to the Silverflow API is through API keys. API keys can be created by calling the Create API Key endpoint. You can create up to 40 API keys and update and delete them, allowing for credential rotation.
The Agent Activation process will generate an initial API Key for you. Please take a look at Activate Agent. A call to the Create API Key endpoint will return the following structure:
Necessary: The
secret
is only returned once in response to thecreateApiKey
call.
Once created, the key and secret fields from the API key must be used in the HTTP Authorization header using the Basic scheme. The Basic scheme requires a username and password to be specified, separated by a colon (:
) and Base64 encoded. Use the following values from the API key to construct a Basic authentication header:
Basic field | API key field | Example |
username |
|
|
password |
|
|
In pseudo-code, a valid HTTP Basic Authentication header would be constructed as follows:
Using the values from the example, a valid HTTP request would look like the following:
More information on the Basic scheme can be found in RFC-7617 - The 'Basic' HTTP Authentication Scheme.
Security Scheme Type: HTTP
HTTP Authorization Scheme: basic
Bearer Token
Bearer tokens are temporary security credentials that can be used to authorize 'third parties' (bearers) access to the Silverflow API on behalf of the agent. These tokens are created by calling the Create Agent Bearer Token endpoint. Once created, the token field must be used in the HTTP Authorization header using the Bearer scheme. An example of an HTTP request with a bearer token:
More information on the Bearer scheme can be found in RFC-6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage.
Security Scheme Type: HTTP
HTTP Authorization Scheme: bearer
Bearer format: JWT
IP Restrictions
It is possible to add IP restrictions to API keys and Bearer tokens. Doing so will reduce the risk of a compromised key. Keys and tokens with IP restrictions will not be usable outside the specified ranges and will yield a generic 401 Authentication Required error. IP restrictions can be expressed using the CIDR format (n.n.n.n/n).
CIDR block | Description |
| Single IP address |
| All IP addresses between |
| The entire internet |
More information on the CIDR format can be found in RFC 4632 - Classless Inter-domain Routing (CIDR).
Permissions
API keys and Bearer tokens can have one or more permissions assigned. These permissions allow you to restrict what actions can be performed with the credentials. Using multiple API keys and restricting their permissions to only what they need specifically (least privilege) is good practice.
For instance, if you access the Silverflow API from your data lake, you could create an API key just for that subsystem and restrict the permissions to charges:List
and reports:All
.
When you make an API call with an API key that does not have the appropriate permissions, you will get a 403 Forbidden error. The details of the message will explain which permission you need to make the call successfully. The following permissions are available:
Permission name | Permissions |
| Allows to retrieve an agent. |
| Allows to update an agent. Name, registered address, etc. |
| Allows to get a specific BIN of an agent. |
| Allows to list the BINs assigned to an agent. |
| It allows the creation of a temporary JWT token that can be used for disputes. |
| Allows agent activation action. |
| Allows all actions associated with the agent. |
| Allows creating an API key with custom permissions. |
| Allows to get specific API key. |
| Allows to list API keys for an agent. |
| Allows to update API key. |
| Allows to delete API key. |
| Allows you to take any actions with API keys. |
| It allows an agent to get a list of all event subscriptions. |
| Allows to create an event subscription. |
| Allows you to get a specific event subscription. |
| Allows to update an event subscription. |
| Allows to remove an event subscription. |
| Allows to create a new merchant. |
| Allows to get specific merchants. |
| Allows to get all merchants for an agent. |
| Allows to update merchant info. |
| Allows to remove a merchant. |
| Allows to create a merchant acceptor. |
| Allows to get a list of all acceptors for a merchant. |
| Allows to do any actions with the merchant. |
| Allows to get a merchant acceptor. |
| Allows to update a merchant acceptor. |
| Allows to activate a merchant acceptor. |
| Allows to remove a merchant acceptor. |
| Allows all actions with acceptors of a merchant. |
| Allows to create a charge. |
| Allows to get a charge. |
| Allows to clear charge manually. |
| Allows to create a gaming payout charge. |
| Allows to create a POS charge. |
| Allows to get a list of all charges. |
| Allows to reverse a charge. |
| Allows to refund a charge. |
| Allows to request a cancellation or a refund for a charge. |
| Allows all actions with charges. |
| It allows an agent to get a list of all disputes. |
| Allows an agent to get a specific dispute. |
| Allows all actions with disputes. |
| Allows to list all dispute documents. |
| Allows to add a new document to a dispute. |
| Allows to accept liability of a dispute. |
| Allows to defend a dispute. |
| Allows to list event-history of a dispute. |
| Allows to get card info. |
| Allows to get settlement details report. |
| Allows to get daily settlement totals report. |
| Allows you to get quarterly reports for the card network. |
| Allows retrieval of Network Funds Transfers |
| Allows to get any reports. |
| Allows all actions with documents. |
| Allows to get metadata of a document. |
| Allows to delete a document. |
| Allows to download a document. |
| Allows to upload a document. |
| Allows to create a token. |
| Allows to get a token. |
| Allows to get the token data. |
| Allows to create a token cryptogram. |
| Allows to archive a token. |
| Allows all actions with tokens. |
| Allows to create a processor token |
| Allows to get a list of processor tokens |
| Allows to get a processor token |
| Allows to archive a processor token |
| Allows all actions with processor tokens |
| all:All
| Assigns all permissions. Use at your own risk. |