Overview

FDX Authentication

OAuth 2.0 and IP whitelisting for FDX API access

The FDX API uses OAuth 2.0 Bearer token authentication combined with IP address whitelisting.

Client Setup

To access the FDX API, you need a client name and client secret for each environment. Contact Chariot at support@givechariot.com to request credentials.

EnvironmentBase URLCredentials
Productionhttps://api.givechariot.com/fdx/v6Separate client name and secret
Staginghttps://devapi.givechariot.com/fdx/v6Separate client name and secret

Each environment has its own set of credentials. Staging credentials cannot be used in production and vice versa.

OAuth 2.0

All requests must include a valid OAuth 2.0 Bearer token in the Authorization header:

Authorization: Bearer <access_token>

Tokens must include the read:bank_accounts scope. Requests without a valid token receive a 401 Unauthorized response.

Token Exchange

The FDX API uses the OAuth 2.0 Authorization Code flow. After receiving client credentials from Chariot, follow these steps to obtain an access token.

OAuth Endpoints

EnvironmentAuthorizationToken
Productionhttps://dashboard.givechariot.com/oauth/authorizehttps://api.givechariot.com/auth/oauth/token
Staginghttps://staging.dashboard.givechariot.com/oauth/authorizehttps://devapi.givechariot.com/auth/oauth/token

OIDC Well-Known Configuration

EnvironmentURL
Productionhttps://api.givechariot.com/.well-known/openid-configuration
Staginghttps://devapi.givechariot.com/.well-known/openid-configuration

1. Authorize

Redirect the user to the authorization endpoint:

GET https://dashboard.givechariot.com/oauth/authorize
  ?client_id=<client_id>
  &redirect_uri=<redirect_uri>
  &response_type=code
  &scope=read:bank_accounts
ParameterDescription
client_idYour client identifier
redirect_uriThe URI to redirect to after authorization (must match a registered URI)
response_typeMust be code
scopeMust be read:bank_accounts

After the user authorizes, the browser redirects to your redirect_uri with an authorization code query parameter.

2. Exchange code for token

Exchange the authorization code for an access token and refresh token:

$curl -X POST https://api.givechariot.com/auth/oauth/token \
>  -u "<client_id>:<client_secret>" \
>  -d "grant_type=authorization_code" \
>  -d "code=<authorization_code>" \
>  -d "redirect_uri=<redirect_uri>"

The response includes an access_token and refresh_token:

1{
2  "access_token": "...",
3  "token_type": "Bearer",
4  "refresh_token": "...",
5  "scope": "read:bank_accounts"
6}

3. Refresh token

When the access token expires, use the refresh token to obtain a new one:

$curl -X POST https://api.givechariot.com/auth/oauth/token \
>  -u "<client_id>:<client_secret>" \
>  -d "grant_type=refresh_token" \
>  -d "refresh_token=<refresh_token>"

IP Whitelisting

In addition to OAuth 2.0, all requests are validated against an IP whitelist. Requests from non-whitelisted IP addresses receive a 403 Forbidden response.

Contact Chariot to register IP addresses for FDX API access.

Error Responses

All errors follow the RFC 7807 Problem Details format:

1{
2  "type": "about:blank",
3  "title": "Unauthorized",
4  "status": 401,
5  "detail": "Missing or invalid Bearer token"
6}

Token Exchange Errors

Errors returned by POST /auth/oauth/token:

StatusCondition
400 Bad RequestMissing or invalid grant_type, code, refresh_token, or scope parameter
401 UnauthorizedInvalid client credentials, expired authorization code, or invalid refresh token
500 Internal Server ErrorUnexpected server error

API Request Errors

Errors returned by FDX API endpoints:

StatusCondition
400 Bad RequestInvalid query parameters or missing required fields
401 UnauthorizedMissing, invalid, or expired Bearer token
403 ForbiddenInsufficient permissions or IP not whitelisted
404 Not FoundResource does not exist (e.g., invalid account or statement ID)
500 Internal Server ErrorUnexpected server error