FV BankGuides
Guides
Guides/Authentication

Authentication

FV Merchant APIs use a secure JWT-based authentication mechanism.

To access the APIs, you must first generate a SessionToken. This is done using a two-step process:

Step 1: Generate JWT Create a signed JWT using your ClientID and ClientSecret. This token is short-lived and is used only to authenticate with the /auth endpoint.

Example (Node.js):

code

const jwt = require('jsonwebtoken');
const clientID = "your_client_id";
const clientSecret = "your_client_secret";
const payload = {
  ClientID: clientID,
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + (60 * 5) // expires in 5 minutes
};
const token = jwt.sign(payload, clientSecret);
console.log("Generated JWT:", token);

Step 2: Get Session Token Send the generated JWT in the X-AUTH-TOKEN header to the /auth endpoint. A SessionToken will be returned in the response.

🔑 Get Session Token (Node.js)

Use your pre-generated JWT to authenticate with the /auth endpoint and receive a SessionToken.

Notes:

  • Pass the JWT in the X-AUTH-TOKEN header
  • The response will contain a SessionToken
  • Use the SessionToken for all subsequent API requests
code

const axios = require('axios');
// 🔐 Your pre-generated JWT
const JWT_TOKEN = 'your_generated_jwt_token_here';
// 🌐 Base URL
const BASE_URL = 'https://sandbox.merchant.fvbank.us/v2';
async function getSessionToken() {
  try {
    const response = await axios.get(
      `${BASE_URL}/auth`,
      {
        headers: {
  …

Step 3: Use Session Token Include the SessionToken in the X-AUTH-TOKEN header for all subsequent API requests.

Authentication Flow:

Client Credentials → Generate JWT → Call /auth → Receive SessionToken → Use SessionToken for API Calls

Important Notes:

  • JWT is short-lived (~5 minutes) and used only for authentication
  • SessionToken validity depends on the expiration (exp) defined in the JWT used during authentication.
  • A refreshed token may be returned in the x-refresh-token header
  • Always reuse SessionToken until it expires
  • Regenerate token if you receive authentication errors (401)
  • Requests must originate from the same IP used during authentication

API reference

Search guide books, endpoints, paths, or parameters

↑↓navigateopenEscclose