Skip to main content

Overview

Proper authentication is required for all API calls to the Presto Financial Institutions API.

Authentication Scheme

Bearer Token Authentication

The Presto Financial Institutions API uses Bearer token authentication. Include your token in the Authorization header of each request:

Authorization: Bearer <your-token>

Token Issuance

Authentication tokens are generated through the token issue endpoint. You can create tokens with specific names and expiration dates. When a new token is issued, any existing tokens are automatically revoked. The generated token must be attached to every request.

Transport Security

All API communication must use TLS (only 443/tcp). Requests over plain HTTP will be rejected. Always verify the server's TLS certificate to prevent man-in-the-middle attacks.

IP Whitelisting

For enhanced security, only requests originating from IP addresses provided during the onboarding process are permitted to access the API. This additional layer of security helps prevent unauthorized access even if authentication tokens are compromised.

If your organization needs to add, remove, or modify the whitelisted IP addresses, please contact security@presto.com immediately. Any changes to your network infrastructure that affect your source IP addresses should be communicated to Presto in advance to prevent service disruption.

Obtaining Authentication Token

Use the token issue endpoint to generate authentication tokens for API access. You can specify a name for the token and its expiration date. For detailed information on the request parameters and response format, refer to the token issue documentation.

Security Guidelines

Password Management

The API provides a password reset endpoint that allows users to change their password by providing their email, current password, and new password.

Token Security

  1. Secure Storage - Store tokens in secure, encrypted storage systems such as environment variables, secure key vaults, or encrypted configuration files
  2. No Client-Side Storage - Never store tokens in client-side code, browser storage, mobile apps, or any publicly accessible location
  3. Limited Access - Restrict token access to only the systems and personnel that require it

Communication Security

  1. Use HTTPS for all communications - Enforce TLS for all API interactions
  2. Maintain IP whitelist - Ensure your allowed IP addresses are kept current with Presto