Phillip Capital Public API (1.0.0)

A REST API (or Representational State Transfer API) is a method for two systems to communicate and share data over the internet, adhering to a standardized set of rules. In simpler terms, it’s a way for applications to talk to each other, allowing them to exchange information in a consistent and reliable manner. A REST API is an API that communicates using the HTTP protocol, where different resources (such as data or services) are accessible via specific web addresses (URLs). Each URL represents a resource, which could be anything from ledger data to contract note copies. By leveraging REST APIs, systems can efficiently expose data and functionality, ensuring a seamless, reliable exchange of information across distributed platforms.

We utilise the OAuth 2.0 "Client Credentials" flow to ensure secure access to our APIs. This industry-standard authentication protocol allows systems to authenticate and communicate securely without involving user interaction, making it ideal for server-to-server integrations.

How It Works

In the Client Credentials flow, an application (the client) requests an access token directly from the authentication server (Identity Provider, or IdP) using its own credentials. This access token is then used to authorise API requests. Here’s a step-by-step overview:

1. Client Authentication:

The client authenticates with the Identity Provider using a unique client ID and secret. These credentials are issued by the Phillip Capital authentication system when your application is registered.

2. Access Token Request:

Once authenticated, the client requests an access token by calling the token endpoint of the IdP. This request includes the client ID, client secret, and a grant type of client_credentials.

3. Access Token Issuance:

If the client is successfully authenticated, the Identity Provider returns an access token. This token is a time-limited key that the client can use to make authorised API calls.

4. Authorised API Requests:

The client then includes the access token in the header of subsequent API requests, typically in the form of a Bearer token. The API verifies the token before processing the request, ensuring that the client is authorised to access the requested resource.

Example

Obtaining an access token and using it to make a secure API call is a two-step process.

1). Requesting an Access Token

 curl -X POST https://oauth.phillipcapital.com.au/oauth2/token  
 -u client_id:client_secret  
 -d 'grant_type=client_credentials&scope=DataApiServer/data_read_scope' 

This request sends the client ID, client secret, and grant type to the token endpoint. If the credentials are valid, the Identity Provider responds with an access token:

 {"access_token":"9zjf....90823kjns", "token_type":"bearer","expires_in":3600} 

2). Making an Authorised API Call

Once you receive the access token, include it in the Authorisation header of your API requests:

 curl -k -X GET https://api.phillipcapital.com.au:8080/api/v1/ledgers?accountNumber=123456   
 --header 'Accept: application/json'   
 --header 'Authorization: Bearer k9fk32......9238kmsq2'   
 --header 'Content-Type: application/json'  

All communication between your application and Phillip Capital must be encrypted using TLS to protect sensitive data like the client secrets. Access tokens are short-lived to minimise the risk of token misuse in the event of a security breach. By using OAuth 2.0, Phillip Capital ensures that your application can interact with our APIs in a secure, scalable, and standardised way, without exposing unnecessary risk to either party.