HomeGuidesRecipesAPI ReferenceChangelog
Log In
Guides

Authentication

Unblock has adopted a dual authentication method. This method allows our servers to identify the requests from specific Merchants and ensure that any modification made to a user's account has gotten consent from the said user.

API key

Merchants will be issued API keys that should be put in the header of all requests to the Unblock API.

📘

API keys are linked to Environements

You can read more about environements and how to get Merchant API keys here

The API keys are in the following format.

API-Key fdsjk235jkfdsakjrn3k2neknrmk23njk43n2km3n4k

Please include all the elements of the string above. Otherwise, you will receive a 401 Unauthorized error.

This API key should be included as part of the HEADER fields of the request as so:

curl --request GET \
     --url 'https://api.getunblock.com/exchange-rates/?base_currency=USD&target_currency=USD' \
     --header 'Authorization: API-Key fdsjk235jkfdsakjrn3k2neknrmk23njk43n2km3n4k' \
     --header 'accept: application/json'

This API key is designed to be used in a Backend environment and not to be publicly visible. This is how Unblock identifies a Merchant and identifies if a transaction is attributed to a certain commercial deal. Making sure this API stays private protects the Merchant's integration. It also allows merchants to view all their users' data, making this API key public as a GDPR and regulatory risk.

🚧

If a Merchant API key is made public it will be deactivated without notice

If any Merchant make their API key public by mistake or on purpose and it comes to the attention of Unblock, it will instantly be deactivated without any notice. This is to avoid any leak of private user information.

Session id

The session ID is required for all the endpoints, which will modify or create any data related to an Individual or Corporate user. It is a way for Unblock to identify an individual uniquely and, therefore, ensure that the Individual consents to any of these data modifications.

A session ID can be obtained by two means:

  1. Email One-Time Password
  2. Sign in with Ethereum (SIWE)

The Session-Id is in a uuid format:

b13deca4-7051-485c-9f6d-6b99d3a46043

The Session id should be included in all requests that require it as part of the HEADER fields as so:

curl --request POST \
     --url https://api.getunblock.com/user/bank-account/unblock \
     --header 'Authorization: <<API KEY>>' \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header 'unblock-session-id: b13deca4-7051-485c-9f6d-6b99d3a46043' \
     --data '{"currency":"EUR"}'

This session_id will be valid for 4 hours, after which it will automatically invalidate itself and need to be renewed.

Only one session_id can be active at any point; if the authorization flow is restarted while another session_id is active, the first session_id will automatically expire.

📘

Session_id is only needed for PUT, PATCH and POST endpoints

All /GET endpoints that will allow merchants to retrieve data do NOT require a session_id. Unblock will identiy the user by the user_uuid that can be sent in the header fields of the requests.