Developer Programs
Getting Started
Get started working with Jack Henry's developer programs today.
Fintech Integration Network (FIN)
Jack Henry's Integration Program for Fintechs.
Technical Account Manager (TAM)
Get technical integration help from a single point of contact.
Developer Account
Create a developer acccount to access resources that help you integrate with Jack Henry.
Learn
Shared Responsibility
Learn about shared roles and responsibilities of customers and Jack Henry in open banking.
Developer Use Cases
Find a use case that fits your development needs.
Developer Video Gallery
Watch the latest demos, webinars, and more.
Developer Conference
Connect with industry leaders, gain insights from expert speakers, and explore our latest innovations.
Docs
Admin API
Create solutions for an institution's back office support tools.
Authentication Framework
Map customer identities to your existing system IDs.
Consumer API
Access financial data for user accounts, transactions, and more.
Data Hub
Get deeper access to financial institution data.
Digital Core
Modernize with cloud-native core banking technology.
Enterprise Event System
Respond to events in real-time using this powerful pub/sub-based solution.
jXchange - REST API
Translate business information between Jack Henry and 3rd-party apps using a REST-based API.
jXchange - SOAP API
Translate business information between Jack Henry and 3rd-party apps using a SOAP-based API.
Operational Data Integration (ODI)
Get customized queries for bulk data needs.
Payments
Embed check deposits, ACH, bill pay, cards, and real-time payments.
Plugin Framework
Embed the best of the fintech world directly into your user's dashboard.
SymXchange
Query Symitar core member accounts, post transactions, run PowerOn scripts, and more.
Full List of APIs
Begin working with Jack Henry's public APIs to build financial applications today.

Authorization Code Flow

Concepts > Typical Auth Flows > Authorization Code Flow

OAuth 2.0 is an open standard used for securely granting applications limited access to user resources without exposing user credentials. The Authorization Code Flow is a widely used OAuth grant type suited for applications that include a backend component capable of securely handling and storing secrets. Although you may have mobile apps or single-page applications (SPAs) in your technology stack, Jack Henry requires that you implement a backend (Confidential Client) to communicate with our APIs to ensure secure credential storage and token management.

When combined with Proof Key for Code Exchange (PKCE), this flow provides robust security.

Key Concepts and Terminology

  • Resource Owner (User): The individual who owns and grants access to their protected resources.
  • Client (Application): The app requesting access to user resources, which must include a confidential backend.
    • Confidential Client: Has a secure backend that can safely store credentials.
  • Authorization Server (Jack Henry Authentication Framework): Issues tokens after user authentication and consent.
  • Resource Server (Jack Henry APIs): Provides protected resources upon receiving valid tokens.
  • Authorization Code: A temporary code issued after successful user authentication.
  • Access Token & Refresh Token: Tokens enabling the client to access resources; refresh tokens allow obtaining new access tokens.
  • Redirect URI: Endpoint in the client’s backend that receives the authorization code after authentication.
Jack Henry requires that all client applications integrate via a Confidential Client (i.e., a secure backend) to interact with our APIs. Direct communication from mobile apps or SPA code to Jack Henry APIs is not supported.

When to Use the Authorization Code Flow

  • Server-side web applications with a backend that can securely store credentials.
  • Mobile or SPAs that interact with their own secure backend (which is the Confidential Client). The frontend never directly calls Jack Henry APIs; instead, it communicates with the backend, which then uses the Authorization Code Flow.

Step-by-Step Authorization Code Flow

sequenceDiagram participant User participant Client_Backend as Confidential Client Backend participant Auth_Server as Jack Henry Authorization Server participant Resource_Server as Jack Henry API rect rgb(200, 220, 255) note over User,Auth_Server: Authorization Request User->>Client_Backend: User navigates to client login Client_Backend->>User: Redirect user's browser to Authorization Server
with client_id,
redirect_uri,
response_type=code,
scope,
state
-- Parameters for PKCE --
code_challenge,
code_challenge_method=S256 User->>Auth_Server: Authenticate & provide consent Auth_Server->>User: Authorization code issued (redirect) User->>Client_Backend: Browser redirect with code & state Client_Backend->>Client_Backend: Validate state parameter end rect rgb(200, 255, 200) note over Client_Backend,Auth_Server: Token Exchange Client_Backend->>Auth_Server: Exchange code for tokens (POST)
grant_type=authorization_code,
code,
redirect_uri,
client_id,
client_assertion
-- Parameters for PKCE --
code_verifier Auth_Server->>Client_Backend: Provide tokens (access, ID, refresh tokens) Client_Backend->>Client_Backend: Securely store tokens end rect rgb(255, 245, 200) note over Client_Backend,Resource_Server: Accessing Resources Client_Backend->>Resource_Server: API call with Access Token
Authorization: Bearer ACCESS_TOKEN Resource_Server->>Client_Backend: Protected resources returned Client_Backend->>User: Deliver resources to user end

1. Authorization Request

The client’s backend directs the user’s browser to the Jack Henry Authorization Server. This URL includes:

Example URL:

https://API_ENVIRONMENT/AUTHENTICATION_ENDPOINT
  ?client_id=CLIENT_ID
  &redirect_uri=CALLBACK_URI
  &response_type=code
  &scope=openid%20profile
  &state=XYZ

Notes:

  • API_ENVIRONMENT could be something like digital.garden-fi.com
  • AUTHENTICATION_ENDPOINT could be something like /a/consumer/api/v0/oidc/auth

With these two examples, you would send the request to https://digital.garden-fi.com/a/consumer/api/v0/oidc/auth

2. User Authentication & Consent

The user logs in to Jack Henry’s Authentication Framework. They see a consent screen listing the requested permissions (scopes). The user must explicitly approve or deny access.

3. Authorization Code Issued

After the user consents, they are redirected back to your backend with an authorization code. The redirect looks like this:

https://REDIRECT_URI/?code=AUTH_CODE&state=XYZ&iss=ISSUER
  • REDIRECT_URI: The configured redirect URI.
  • code: A single-use, temporary credential issued by the Authorization Server. Your backend exchanges this code for an access token (and other tokens) in the Token Exchange step.
  • state: The same random, unique string you generated and sent in the authorization request. Receiving this exact same value provides protection against CSRF attacks. Always validate that the returned state matches the one you originally set.
  • iss: Short for issuer. This identifies which Authorization Server (e.g., Jack Henry’s) issued the authorization code. In an OpenID Connect flow, iss is typically used to verify the origin of tokens and ensure they come from a trusted authority.

4. Token Exchange (Confidential Clients)

The client exchanges the authorization code for an access token by making a POST request:

POST https://API_ENVIRONMENT/TOKEN_ENDPOINT
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTH_CODE
&redirect_uri=CALLBACK_URI
&client_id=CLIENT_ID
&client_secret=CLIENT_SECRET

Notes:

  • API_ENVIRONMENT could be something like digital.garden-fi.com
  • TOKEN_ENDPOINT could be something like /a/consumer/api/v0/oidc/token
  • code_verifier (Parameter for PKCE, see PKCE (Proof Key for Code Exchange))

With these two examples, you would send the request to https://digital.garden-fi.com/a/consumer/api/v0/oidc/token

The server validates and returns the access token (and ID token, if requested):

{
  "access_token": "ACCESS_TOKEN",
  "id_token": "ID_TOKEN",
  "expires_in": 600,
  "token_type": "Bearer",
  "refresh_token": "REFRESH_TOKEN"
}

Using Access Tokens

Access tokens must be sent as Bearer tokens in API calls:

GET https://API_ENVIRONMENT/TARGET_ENDPOINT
Authorization: Bearer ACCESS_TOKEN

Access tokens typically expire quickly (around 10 minutes). If your application needs continual access, use the refresh token to obtain new access tokens securely on your backend.

Authentication Security

The State Parameter

  • What is it? A random, unique string included in the authorization request to prevent CSRF attacks.
  • How to use it:
    1. Generate a random, unguessable state value before redirecting the user’s browser to the Jack Henry Authorization Server.
    2. Send state in the authorization request.
    3. When the user is redirected back to your redirect_uri, compare the returned state to the original value.
    4. If the state does not match, abort the flow.

The Nonce Parameter

  • What is it? A random, unique string used primarily to prevent replay attacks and ensure the response belongs to the original request.
  • When to use it: Commonly used when requesting an ID token (OpenID Connect), especially in flows that might expose tokens in the front-end (e.g., implicit flows). Even if you’re strictly using the Authorization Code Flow, including a nonce can add extra protection for ID token verification.
    1. Generate a random, unguessable nonce.
    2. Include nonce in the authorization request.
    3. The ID token returned by the authorization server should contain the same nonce value.
    4. If it does not match, abort the flow.

Best Practices and Considerations

  • Securely store credentials (for confidential clients).
  • Always validate the state parameter to mitigate CSRF.
  • Clearly handle errors and provide informative responses.

Troubleshooting and Common Issues

Exact String Matching of Redirect URIs

Each Redirect URI is matched using exact string matching. If the Redirect URI does not match, then the authorization flow will not be valid.

  • Redirect URI matching is case-sensitive and path-inclusive so http://localhost:8080/dynamic is NOT the same as http://localhost:8080/Dynamic and NOT the same as http://localhost:8080/dynamic/.
  • ‘Wild card’ Redirect URI formats are not allowed so https://*.example.com is NOT valid.
Verifying Requested Scopes
Scopes define the level of access your application is requesting. If you request scopes that are not permitted or are not supported by the Authorization Server, the request may fail or be partially fulfilled. Ensure your application’s scope request aligns with the permissions you have been granted and that you only request the scopes necessary for your use case.
Handling Token Expiration and Refresh Workflows
Access tokens are valid for a limited time, often just a few minutes. Once they expire, further API requests will fail if you do not acquire a fresh token. Use the refresh token provided during the Token Exchange step to obtain a new access token without prompting the user to re-authenticate. Make sure to securely store and rotate your tokens to minimize security risks.
Have a Question?
Did this page help you?
Last updated Tue Mar 3 2026