For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Contact usLogin
GuidesAPI ReferenceFDX APIChangelog
GuidesAPI ReferenceFDX APIChangelog
  • Overview
    • Introduction
    • Authentication
  • Accounts
  • Statements
  • Customers
  • Transactions
LogoLogo
Contact usLogin
On this page
  • Client Setup
  • OAuth 2.0
  • Token Exchange
  • OAuth Endpoints
  • OIDC Well-Known Configuration
  • 1. Authorize
  • 2. Exchange code for token
  • 3. Refresh token
  • IP Whitelisting
  • Error Responses
  • Token Exchange Errors
  • API Request Errors
Overview

FDX Authentication

OAuth 2.0 and IP whitelisting for FDX API access
Was this page helpful?
Previous

List accounts

Next
Built with

The FDX API uses OAuth 2.0 Bearer token authentication combined with IP address whitelisting.

Client Setup

To access the FDX API, you need a client name and client secret for each environment. Contact Chariot at support@givechariot.com to request credentials.

EnvironmentBase URLCredentials
Productionhttps://api.givechariot.com/fdx/v6Separate client name and secret
Staginghttps://devapi.givechariot.com/fdx/v6Separate client name and secret

Each environment has its own set of credentials. Staging credentials cannot be used in production and vice versa.

OAuth 2.0

All requests must include a valid OAuth 2.0 Bearer token in the Authorization header:

Authorization: Bearer <access_token>

Tokens must include exactly one of the following scopes — they are mutually exclusive per authorization. An authorization containing both will be rejected.

ScopeDescription
read:bank_accountsRead access to bank account data
sync:connected_accountsSync access to connected account data

A client may hold both scopes, but each FDX authorization must contain exactly one. Requests without a valid token receive a 401 Unauthorized response.

Token Exchange

The FDX API uses the OAuth 2.0 Authorization Code flow. After receiving client credentials from Chariot, follow these steps to obtain an access token.

OAuth Endpoints

EnvironmentAuthorizationToken
Productionhttps://dashboard.givechariot.com/oauth/authorizehttps://api.givechariot.com/auth/oauth/token
Staginghttps://staging.dashboard.givechariot.com/oauth/authorizehttps://devapi.givechariot.com/auth/oauth/token

OIDC Well-Known Configuration

EnvironmentURL
Productionhttps://api.givechariot.com/.well-known/openid-configuration
Staginghttps://devapi.givechariot.com/.well-known/openid-configuration

1. Authorize

Redirect the user to the authorization endpoint:

GET https://dashboard.givechariot.com/oauth/authorize
  ?client_id=<client_id>
  &redirect_uri=<redirect_uri>
  &response_type=code
  &scope=read:bank_accounts
ParameterDescription
client_idYour client identifier
redirect_uriThe URI to redirect to after authorization (must match a registered URI)
response_typeMust be code
scopeMust be read:bank_accounts

After the user authorizes, the browser redirects to your redirect_uri with an authorization code query parameter.

2. Exchange code for token

Exchange the authorization code for an access token and refresh token.

POST https://api.givechariot.com/auth/oauth/token

Header — authenticate with HTTP Basic using your client credentials. Requests without this header will be rejected with 403 Unauthorized.

Authorization: Basic base64(client_id:client_secret)

Body (application/x-www-form-urlencoded):

FieldRequiredDescription
grant_typeYesauthorization_code
codeYesThe authorization code from step 1
redirect_uriYesMust match the URI used in step 1
code_verifierNoPKCE code verifier, if PKCE was used

Response:

1{
2  "access_token": "...",
3  "token_type": "Bearer",
4  "refresh_token": "...",
5  "scope": "read:bank_accounts"
6}

3. Refresh token

When the access token expires, use the refresh token to obtain a new one.

POST https://api.givechariot.com/auth/oauth/token

Header — authenticate with HTTP Basic using your client credentials. Requests without this header will be rejected with 403 Unauthorized.

Authorization: Basic base64(client_id:client_secret)

Body (application/x-www-form-urlencoded):

FieldRequiredDescription
grant_typeYesrefresh_token
refresh_tokenYesThe refresh token from the original token exchange

IP Whitelisting

In addition to OAuth 2.0, all requests are validated against an IP whitelist. Requests from non-whitelisted IP addresses receive a 403 Forbidden response.

Contact Chariot to register IP addresses for FDX API access.

Error Responses

All errors follow the RFC 7807 Problem Details format:

1{
2  "type": "about:blank",
3  "title": "Unauthorized",
4  "status": 401,
5  "detail": "Missing or invalid Bearer token"
6}

Token Exchange Errors

Errors returned by POST /auth/oauth/token:

StatusCondition
400 Bad RequestMissing or invalid grant_type, code, refresh_token, or scope parameter
401 UnauthorizedInvalid client credentials, expired authorization code, or invalid refresh token
500 Internal Server ErrorUnexpected server error

API Request Errors

Errors returned by FDX API endpoints:

StatusCondition
400 Bad RequestInvalid query parameters or missing required fields
401 UnauthorizedMissing, invalid, or expired Bearer token
403 ForbiddenInsufficient permissions or IP not whitelisted
404 Not FoundResource does not exist (e.g., invalid account or statement ID)
500 Internal Server ErrorUnexpected server error