Making API calls for connected accounts

Using the "Authorization: Bearer" header

To make API calls on behalf of your connected accounts, we follow the OAuth standard. This means an Authorization: Bearer {{access_token}} header is needed per API request, either Standard or Custom accounts.

Access Tokens

To obtain your users' access_token and refresh_token, you need first to complete the steps shown in Integrating Connect with Standard accounts or Integrating Connect with Custom accounts.
To ensure the highest level of security, our Standard account's tokens expire after 25 days. You'll need to refresh the access_token as shown here.
As Custom accounts are fully managed by the connected platform (final users can never revoke permissions), Custom account's tokens does not expire and the platform is responsible for deactivating Custom accounts when needed.


Here you can see an example of calculating taxes on behalf of a connected account:
curl \
  -H "Authorization: Bearer {{access_token}}"
The Tax Rates API can be used with a connected account or for your own account, depending on the wheter you're using the Authorization header or not.


Exception: Using connected Standard account's API keys with self-hosted software

When your platform operates as a plugin for WordPress or other self-hosted software out of your full control, you may not be able to implement the OAuth authentication shown above.
In general, API keys are only necessary when a central server is not used to make API requests. For example, if your platform operates as a plugin for WordPress or other self-hosted software.
Only for those cases, we exceptionally allow you to request the user's private API Keys in your UI, so that your plugin can make API calls on the Standard account's behalf that way.
Using API keys directly is strongly discouraged for security reasons. Leaked API keys could potentially cause serious issues, as private API keys grant broad permissions including the ability to read and write sensitive data and move money. Most Connect platforms should avoid using API keys and instead use the access_token on the Authorization: Bearer header as shown above.
For that reasons, always protect API keys. They should remain internal to your systems and never be accessible in a browser. Never expose connected account API keys through your own API endpoints.