Authentication
How to authenticate every API request using Client ID / Client Secret headers and the required partnerId and correlation ID.
Authentication Mechanism
The QwikLive EAPI uses header-based credential authentication. Unlike OAuth 2.0 flows, there is no token exchange — your client_id and client_secret are included directly in the HTTP headers of every request.
This model is common in enterprise gateway integrations where channel clients (ATM switches, IVR systems) make machine-to-machine calls and require low-latency authentication without a token refresh cycle.
Required Headers
Every request to a service endpoint must include all of the following headers:
| Header | Required | Format | Description |
|---|---|---|---|
| x-correlation-id | Yes | UUID v4 | Unique identifier for this request. Generated fresh per request. Used for end-to-end tracing and support queries. Example: 550e8400-e29b-41d4-a716-446655440000 |
| client_id | Conditional | string | Client ID issued by the QwikLive Developer Portal. Required when client-ID-based policies are active. Provided during onboarding. |
| client_secret | Conditional | string | Client secret paired with client_id. Treat as a password. Never log or expose this value. |
| partnerId | Yes* | string | Identifies the integration partner that originated the request. Required on all endpoints except GET /api/health. Example: PARTNER-ATM-001 |
| Content-Type | Yes | string | Must be application/json on all POST requests. |
The GET /api/health endpoint does not require authentication headers. It is used for connectivity verification and dependency status checks before initiating a session.
Path Parameter: {version}
All service endpoints include a {version} path parameter. Use v1 for the current production-aligned version.
# Correct — always specify version in the path
POST /api/ssb/accountservices/v1/accounts/balance
# All service endpoints follow this pattern
POST /api/ssb/accountservices/{version}/{endpoint}
Complete Header Example
Here is a complete authenticated request showing all required headers:
POST /api/ssb/accountservices/v1/accounts/balance HTTP/1.1
Host: {sandbox-host}
Content-Type: application/json
x-correlation-id: 550e8400-e29b-41d4-a716-446655440000
client_id: your-sandbox-client-id
client_secret: your-sandbox-client-secret
partnerId: PARTNER-ATM-001
{
"head": { "acquirerId": "10001", "description": "ATM Balance Inquiry" },
...
}
Generating x-correlation-id
The correlation ID must be a valid UUID v4 generated fresh for every request. Here are examples in common languages:
// Using built-in crypto module (Node 14.17+)
const { randomUUID } = require('crypto');
const correlationId = randomUUID();
// e.g. "550e8400-e29b-41d4-a716-446655440000"
// Java — using java.util.UUID import java.util.UUID; String correlationId = UUID.randomUUID().toString();
# Python — using built-in uuid module import uuid correlation_id = str(uuid.uuid4())
# Shell — using uuidgen (macOS/Linux) CORRELATION_ID=$(uuidgen) # Or generate a random UUID inline in curl: curl -H "x-correlation-id: $(uuidgen)" ...
Sandbox Credentials
Request sandbox credentials from the QwikLive Developer Portal. Once obtained, set them as environment variables in your integration environment:
# Set credentials as environment variables — never hardcode in source
export CLIENT_ID="sandbox-client-your-id"
export CLIENT_SECRET="sandbox-secret-your-secret"
export PARTNER_ID="PARTNER-ATM-001"
# Use in curl
curl -s -X POST https://{sandbox-host}/api/ssb/accountservices/v1/accounts \
-H "Content-Type: application/json" \
-H "x-correlation-id: $(uuidgen)" \
-H "client_id: $CLIENT_ID" \
-H "client_secret: $CLIENT_SECRET" \
-H "partnerId: $PARTNER_ID" \
-d '{ ... }'
Authentication Error Responses
| HTTP Status | Reason | Cause |
|---|---|---|
| 401 | HTTP:UNAUTHORIZED |
client_id or client_secret is missing, invalid, or expired |
| 403 | HTTP:FORBIDDEN |
Credentials are valid but the client is not authorized for this specific operation |
Never include client_secret values in client-side code, browser requests, mobile apps, or any environment where end users could inspect network traffic. The QwikLive API is designed for server-to-server integration only.