Authentication

To interact with the Bermuda Commercial Bank RESTful Open Banking API, all requests must be authenticated using JWT (JSON Web Token) access tokens. This guide outlines how to obtain and use these tokens securely.

🔐 Overview

Authentication is performed using JWT tokens.
Tokens are issued by submitting a POST request with your client credentials.
Tokens are valid for 40 minutes.
Note: The API does not support refresh tokens. You must request a new token after expiry.

🚀 Steps to Authenticate

1. Request a JWT Access Token

Send a POST request to the authentication endpoint with your clientId and clientSecret.

Endpoint:

POST https://api.bcb.bm/auth/token

📘 For more details, refer to the Token endpoint documentation.

Sample Payload:

{
  "clientId": "your-client-id",
  "clientSecret": "your-client-secret"
}

Sample Response:

{
  "token": "your-jwt-access-token"
}

2. Use the Access Token in API Requests

Include the token in the Authorization header of every API request:

Authorization: Bearer YOUR_ACCESS_TOKEN

📦 Sample: Requesting a JWT Token

async function getToken() {
  try {
    const response = await fetch('https://api.bcb.bm/auth/token', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
      },
      body: JSON.stringify({
        clientId: 'your-client-id',
        clientSecret: 'your-client-secret'
      })
    });

    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Token request failed: ${errorData.message || response.statusText}`);
    }

    const data = await response.json();
    console.log('JWT Token:', data.token);

    // Store the token securely
    localStorage.setItem('jwt', data.token);
  } catch (error) {
    console.error('Error obtaining token:', error.message);
  }
}

getToken();

🔍 Sample: Making an Authenticated API Call

async function fetchAccountDetails(accountNumber) {
  try {
    const token = localStorage.getItem('jwt');

    const response = await fetch(`https://api.bcb.bm/v1/accounts/${accountNumber}`, {
      method: 'GET',
      headers: {
        'Authorization': `Bearer ${token}`,
        'Content-Type': 'application/json',
        'Accept': 'application/json'
      }
    });

    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Request failed: ${errorData.message || response.statusText}`);
    }

    const data = await response.json();
    console.log('Account details:', data);
  } catch (error) {
    console.error('Error fetching account details:', error.message);
  }
}

fetchAccountDetails('YOUR_ACCOUNT_NUMBER');

✅ Best Practices

Store tokens securely (e.g., in memory or secure storage).
Avoid exposing tokens in frontend code or version control.
Handle 401 Unauthorized errors by requesting a new token.
Implement token expiration checks and renewal logic if needed.