v1.0.5Changelog

Authentication Mechanism

The QwikLive EAPI uses header-based credential authentication. Unlike OAuth 2.0 flows, there is no token exchange — your client_id and client_secret are included directly in the HTTP headers of every request.

This model is common in enterprise gateway integrations where channel clients (ATM switches, IVR systems) make machine-to-machine calls and require low-latency authentication without a token refresh cycle.

Required Headers

Every request to a service endpoint must include all of the following headers:

HeaderRequiredFormatDescription
x-correlation-id Yes UUID v4 Unique identifier for this request. Generated fresh per request. Used for end-to-end tracing and support queries. Example: 550e8400-e29b-41d4-a716-446655440000
client_id Conditional string Client ID issued by the QwikLive Developer Portal. Required when client-ID-based policies are active. Provided during onboarding.
client_secret Conditional string Client secret paired with client_id. Treat as a password. Never log or expose this value.
partnerId Yes* string Identifies the integration partner that originated the request. Required on all endpoints except GET /api/health. Example: PARTNER-ATM-001
Content-Type Yes string Must be application/json on all POST requests.
Note — Health Endpoint Exception

The GET /api/health endpoint does not require authentication headers. It is used for connectivity verification and dependency status checks before initiating a session.

Path Parameter: {version}

All service endpoints include a {version} path parameter. Use v1 for the current production-aligned version.

text
# Correct — always specify version in the path
POST /api/ssb/accountservices/v1/accounts/balance

# All service endpoints follow this pattern
POST /api/ssb/accountservices/{version}/{endpoint}

Complete Header Example

Here is a complete authenticated request showing all required headers:

http
POST /api/ssb/accountservices/v1/accounts/balance HTTP/1.1
Host: {sandbox-host}
Content-Type:     application/json
x-correlation-id: 550e8400-e29b-41d4-a716-446655440000
client_id:        your-sandbox-client-id
client_secret:    your-sandbox-client-secret
partnerId:        PARTNER-ATM-001

{
  "head": { "acquirerId": "10001", "description": "ATM Balance Inquiry" },
  ...
}

Generating x-correlation-id

The correlation ID must be a valid UUID v4 generated fresh for every request. Here are examples in common languages:

// Using built-in crypto module (Node 14.17+)
const { randomUUID } = require('crypto');
const correlationId = randomUUID();
// e.g. "550e8400-e29b-41d4-a716-446655440000"
// Java — using java.util.UUID
import java.util.UUID;
String correlationId = UUID.randomUUID().toString();
# Python — using built-in uuid module
import uuid
correlation_id = str(uuid.uuid4())
# Shell — using uuidgen (macOS/Linux)
CORRELATION_ID=$(uuidgen)

# Or generate a random UUID inline in curl:
curl -H "x-correlation-id: $(uuidgen)" ...

Sandbox Credentials

Request sandbox credentials from the QwikLive Developer Portal. Once obtained, set them as environment variables in your integration environment:

bash
# Set credentials as environment variables — never hardcode in source
export CLIENT_ID="sandbox-client-your-id"
export CLIENT_SECRET="sandbox-secret-your-secret"
export PARTNER_ID="PARTNER-ATM-001"

# Use in curl
curl -s -X POST https://{sandbox-host}/api/ssb/accountservices/v1/accounts \
  -H "Content-Type: application/json" \
  -H "x-correlation-id: $(uuidgen)" \
  -H "client_id: $CLIENT_ID" \
  -H "client_secret: $CLIENT_SECRET" \
  -H "partnerId: $PARTNER_ID" \
  -d '{ ... }'

Authentication Error Responses

HTTP StatusReasonCause
401 HTTP:UNAUTHORIZED client_id or client_secret is missing, invalid, or expired
403 HTTP:FORBIDDEN Credentials are valid but the client is not authorized for this specific operation
🚨
Security Reminder

Never include client_secret values in client-side code, browser requests, mobile apps, or any environment where end users could inspect network traffic. The QwikLive API is designed for server-to-server integration only.