Authentication
Every API session begins with the authentication process, regardless of whether a user is attempting to price a loan, to price and lock a loan, to lock a saved result, to modify a lock, etc. A user can authenticate using one of three methods:
- Authen JWT
- Authen LOS
- PPE API secret
Authen JWT
The Auth JWT method employs a JSON web token (JWT), and uses the following API call:
POST {{protocol}}{{domainAuth}}/oauth/token
A user (username and password) must be created for the client (see Getting Started). Any user will be able to use the API depending on the selected Group.
A successful response will return an access token in access_token.
Settings
Username: user.username
Password: user.password
Domain: Settings > Company Settings > Desired Subdomain => your_company.digitallending.com
Headers
| Header | Value |
|---|---|
| Origin | {{Origin}} Settings > Company Settings > Desired Domain |
| Authorization | Basic cHBlLWxlbmRlcnByaWNlOmxwc2VjcmV0 Base64.encode("acme2" + ':' + "acmesecret") |
Request
curl --location -g --request POST 'https://{{domainAuth}}/oauth/token' \
--header 'Origin: {{Origin}}' \
--header 'Authorization: Basic YWNtZTI6YWNtZXNlY3JldA==' \
--form 'username="{{username}}"' \
--form 'password="{{password}}"' \
--form 'grant_type="password"' \
--form 'client_id="acme2"'
Response
200 OK
Header:
Date: Mon, 27 Apr 2020 00:48:26 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: https://housingfinancial.cre8techdev.com
Access-Control-Expose-Headers: Authorization, Content-Type
Access-Control-Allow-Credentials: true
Pragma: no-cache
Cache-Control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Body:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_in": 599,
"scope": "openId",
"temporary": false,
"fromLP": false,
"loanOfficerNmlsId": "78665",
"userId": "5d8d5d73ec57dc0001dd86e7",
"deviceId": "68909274-7277-4868-840f-038098f7d0fa",
"loanAppSessionPolicy": {
"limitOneLoanAppPerSession": false,
"limitOneSessionPerLoanApp": false
},
"enabled": true,
"companyUserType": "COMPANY_USER",
"companyId": "5d6430f469515b0001936397",
"registrationIncomplete": false,
"employeeLoanEligible": false,
"person": {
"firstname": "Joe",
"middlename": null,
"lastname": "Smith"
},
"userType": "CompanyUser",
"email": "companyuser@lenderprice.com",
"companyNmlsId": "006450",
"resetPasswordRequired": false,
"jti": "44eb9af4-d36b-4426-8505-7b62fb436e45"
}
Authen LOS
The Auth LOS method uses the following call:
POST {{protocol}}{{domainAuth}}/oauth/token
A user (username and password) must be created for the client (see Getting Started). Any user will be able to use the API depending on the selected Group.
A successful response will return an access token in access_token.
Settings
Username: user.username
Password: user.password
Domain: Settings > Company Settings > Desired Subdomain => your_company.digitallending.com
Headers
| Header | Value |
|---|---|
| Origin | {{Origin}} Settings > Company Settings > Desired Domain |
| Authorization | Basic cHBlLWxlbmRlcnByaWNlOmxwc2VjcmV0 Base64.encode("EXT_Encompass" + ':' + "EXT_Password") |
Request
curl --location -g --request POST 'https://{{domainAuth}}/oauth/token' \
--header 'Origin: {{Origin}}' \
--header 'Authorization: Basic YWNtZTI6YWNtZXNlY3JldA==' \
--form 'username="{{username}}"' \
--form 'password="{{password}}"' \
--form 'grant_type="password"' \
--form 'client_id="acme2"'
Response
200 OK
Header:
Date: Mon, 27 Apr 2020 00:48:26 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: https://housingfinancial.cre8techdev.com
Access-Control-Expose-Headers: Authorization, Content-Type
Access-Control-Allow-Credentials: true
Pragma: no-cache
Cache-Control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Body:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_in": 599,
"scope": "openId",
"temporary": false,
"fromLP": false,
"loanOfficerNmlsId": "78665",
"userId": "5d8d5d73ec57dc0001dd86e7",
"deviceId": "68909274-7277-4868-840f-038098f7d0fa",
"loanAppSessionPolicy": {
"limitOneLoanAppPerSession": false,
"limitOneSessionPerLoanApp": false
},
"enabled": true,
"companyUserType": "COMPANY_USER",
"companyId": "5d6430f469515b0001936397",
"registrationIncomplete": false,
"employeeLoanEligible": false,
"person": {
"firstname": "Joe",
"middlename": null,
"lastname": "Smith"
},
"userType": "CompanyUser",
"email": "companyuser@lenderprice.com",
"companyNmlsId": "000645",
"resetPasswordRequired": false,
"jti": "44eb9af4-d36b-4426-8505-7b62fb436e45"
}
PPE API Secret
The PPE API Secret method uses the following call:
GET {{protocol}}{{domainAuth}}/encodeAES128/:apiKey/:userId
A successful response will return a code in valid and the API secret in secret.
Headers
| Header | Value |
|---|---|
| apiKey | {{key}} |
| userId | {{userId}} |
Request
curl --location -g --request GET '{{protocol}}{{domain}}/encodeAES128/{{key}}/{{userId}}'
Response
200 OK
Header:
vary: accept-encoding
Content-Encoding: gzip
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 01 Apr 2021 15:52:18 GMT
Body:
{
"valid": 1617378738417,
"secret": "V7IZTzaHrmKamZeWj4Ru5IgQkty1PjgKITlE5axkPI/kWU0LM1gRBWABrIdo1X14"
}