Credentials
Flinks uses four credentials. Each serves a different purpose in the authentication flow.Toolbox sandbox credentials
Use these shared credentials to test in the Toolbox sandbox environment. They are also listed in Testing Environments.These are shared public sandbox credentials for testing. Your production credentials are unique and provided by Flinks during integration setup.
Sandbox iframe setup
When using the sandbox environment with Flinks Connect, you must includedemo=true in the iframe URL. This parameter enables the Flinks Capital test institution, which is the only institution available in sandbox.
demo=true, the Flinks Capital test institution will not appear and you won’t be able to complete the connection flow in sandbox. The demo parameter should only be used in sandbox. Remove it for production.
For the full list of iframe parameters, see Flinks Connect Widget Parameters. For sandbox login credentials and test scenarios (MFA, errors, edge cases), see Test Users.
Headers by endpoint
Theflinks-auth-key header is used on two endpoints but carries a different value on each.
Data endpoints (
/GetAccountsDetail, /GetAccountsDetailAsync, /GetAccountsSummary, etc.) authenticate using the RequestId returned by /Authorize and the x-api-key header. They do not require the flinks-auth-key header.
Verify webhook callbacks
When Flinks sends a webhook callback to your endpoint, the request includes an HMAC-SHA256 signature in theflinks-authenticity-key header. Use your HMAC secret to verify that the payload came from Flinks and hasn’t been tampered with.
For implementation details and code samples (Python, Node.js), see HMAC Signature Validation.
Authentication flow
Step 1: Generate an authorize token
Call/GenerateAuthorizeToken with your secret key in the flinks-auth-key header. The response contains a one-time authorize token.
Step 2: Authenticate with the authorize token
How you pass the authorize token depends on your integration type:- Flinks Connect: Add
authorizeToken={token}as a URL parameter on the iframe URL. - Direct API: Pass the authorize token in the
flinks-auth-keyheader when calling/Authorize.
/Authorize returns a RequestId that you use to call data endpoints.
Step 3: Call data endpoints
Pass theRequestId to data endpoints such as /GetAccountsDetail. No flinks-auth-key header is needed on data endpoints.
For the full data retrieval flow after authentication, see Retrieve Account Data.
Handle token expiry in Flinks Connect
The authorize token expires after 15 minutes. The/GenerateAuthorizeToken endpoint does not return a TTL, so your application must handle expiry reactively.
If the user does not complete the connection flow within 15 minutes, Flinks Connect emits a JavaScript event:
authorizeToken parameter.
Implementation
Listen forTOKEN_INVALID alongside your other Flinks Connect events:
Common authentication errors
/GetAccountsDetail, /GetAccountsDetailAsync, and /GetStatements complete the session and consume the requestId. Later calls with the same requestId return SESSION_EXPIRED. /GetAccountsSummary and Attributes calls do not consume it. In cached mode, a cached requestId is not consumed by cached /GetAccountsDetail.