# Authentication

To interact with the Bermuda Commercial Bank RESTful Open Banking API, all requests must be authenticated using **JWT (JSON Web Token)** access tokens. This guide outlines how to obtain and use these tokens securely.

## 🔐 Overview

- Authentication is performed using JWT tokens.
- Tokens are issued by submitting a `POST` request with your client credentials.
- Tokens are valid for **40 minutes**.
- **Note:** The API does not support refresh tokens. You must request a new token after expiry.


## 🚀 Steps to Authenticate

### 1. Request a JWT Access Token

Send a `POST` request to the authentication endpoint with your `clientId` and `clientSecret`.

**Endpoint:**


```
POST https://api.bcb.bm/auth/token
```

> 📘 For more details, refer to the [Token endpoint documentation](/apis/open-banking-api/open-banking-api/token).


**Sample Payload:**


```json
{
  "clientId": "your-client-id",
  "clientSecret": "your-client-secret"
}
```

**Sample Response:**


```json
{
  "token": "your-jwt-access-token"
}
```

### 2. Use the Access Token in API Requests

Include the token in the `Authorization` header of every API request:


```
Authorization: Bearer YOUR_ACCESS_TOKEN
```

## 📦 Sample: Requesting a JWT Token


```javascript
async function getToken() {
  try {
    const response = await fetch('https://api.bcb.bm/auth/token', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
      },
      body: JSON.stringify({
        clientId: 'your-client-id',
        clientSecret: 'your-client-secret'
      })
    });

    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Token request failed: ${errorData.message || response.statusText}`);
    }

    const data = await response.json();
    console.log('JWT Token:', data.token);

    // Store the token securely
    localStorage.setItem('jwt', data.token);
  } catch (error) {
    console.error('Error obtaining token:', error.message);
  }
}

getToken();
```

## 🔍 Sample: Making an Authenticated API Call


```javascript
async function fetchAccountDetails(accountNumber) {
  try {
    const token = localStorage.getItem('jwt');

    const response = await fetch(`https://api.bcb.bm/v1/accounts/${accountNumber}`, {
      method: 'GET',
      headers: {
        'Authorization': `Bearer ${token}`,
        'Content-Type': 'application/json',
        'Accept': 'application/json'
      }
    });

    if (!response.ok) {
      const errorData = await response.json();
      throw new Error(`Request failed: ${errorData.message || response.statusText}`);
    }

    const data = await response.json();
    console.log('Account details:', data);
  } catch (error) {
    console.error('Error fetching account details:', error.message);
  }
}

fetchAccountDetails('YOUR_ACCOUNT_NUMBER');
```

## ✅ Best Practices

- Store tokens securely (e.g., in memory or secure storage).
- Avoid exposing tokens in frontend code or version control.
- Handle `401 Unauthorized` errors by requesting a new token.
- Implement token expiration checks and renewal logic if needed.