Developer Programs
Getting Started
Get started working with Jack Henry's developer programs today.
Fintech Integration Network (FIN)
Jack Henry's Integration Program for Fintechs.
Technical Account Manager (TAM)
Get technical integration help from a single point of contact.
Developer Account
Create a developer acccount to access resources that help you integrate with Jack Henry.
Learn
Shared Responsibility
Learn about shared roles and responsibilities of customers and Jack Henry in open banking.
Developer Use Cases
Find a use case that fits your development needs.
Developer Video Gallery
Watch the latest demos, webinars, and more.
Developer Conference
Connect with industry leaders, gain insights from expert speakers, and explore our latest innovations.
Docs
Admin API
Create solutions for an institution's back office support tools.
Authentication Framework
Map customer identities to your existing system IDs.
Consumer API
Access financial data for user accounts, transactions, and more.
Data Hub
Get deeper access to financial institution data.
Digital Core
Modernize with cloud-native core banking technology.
Enterprise Event System
Respond to events in real-time using this powerful pub/sub-based solution.
jXchange - REST API
Translate business information between Jack Henry and 3rd-party apps using a REST-based API.
jXchange - SOAP API
Translate business information between Jack Henry and 3rd-party apps using a SOAP-based API.
Operational Data Integration (ODI)
Get customized queries for bulk data needs.
Payments
Embed check deposits, ACH, bill pay, cards, and real-time payments.
Plugin Framework
Embed the best of the fintech world directly into your user's dashboard.
SymXchange
Query Symitar core member accounts, post transactions, run PowerOn scripts, and more.
Full List of APIs
Begin working with Jack Henry's public APIs to build financial applications today.

FAQ

Jack Henry Identity > FAQ

What is “institution zero”?

“Institution zero” refers to the institution used internally for storing Jack Henry Identity user profiles, and used as a default institution to login to when another institution hasn’t been selected or specified.

If a user navigates directly to https://login.jackhenry.com without being redirected from some product’s login page, after they authenticate successfully the resulting access token will be for “institution zero”.

Similarly, if a user initiates the Jack Henry Identity authentication flow without starting in the context of a specific institutionId, once they authenticate successfully the resulting access token will be for the “Institution zero” institutionId. After authentication, users are redirected back to the product and typically presented with a list of institutions they’re allowed access to (if more than one). Once the user has made a selection (or logic within the product defaults/selects an institution), the integrating product initiates the OAuth flow again to obtain a token for that institution.

Are integrators required to rotate keys at a particular interval?

No. Each product must make this determination. Its recommended to provide your product’s public key via a JWKS URI if possible (and is required if you intend to rotate keys on some interval.)

When using a service account and client credentials flow, what factors should be considered when deciding whether to manage a public + private key pair vs providing your public key as a JWKS URI?

If you intend to rotate public keys, then a JWKS URI is required so you can rotate without downtime, and without Jack Henry Identity operational teams needing to be involved. Jack Henry will only support rotation of a key for cause (i.e. it’s been compromised).

Are integrators required to use a unique public + private key pair for each institution or client?

No. Each product must determine the best balance of security vs operational overhead, based on risk.

Does a user have to be invited to an institution through Users & Groups in order to obtain an access token for that institution?

No. Any valid enterprise user can request and obtain an access token for any institutionId, provided a correct clientId and other details are used. Each product must ensure proper enforcement of privileges and authorizations for each user within their product.

Will users be able to SSO using their Windows Account? (e.g. with X2 products)

No. Users will log into their Windows workstations, then login with their Jack Henry Identity credentials. Passkeys offer a secure and convenient method of authentication leveraging device biometrics to make this as user-friendly as possible.

What is the issuer URL, and will it be changing?

The issuer URL for Jack Henry Identity is https://login.jackhenry.com/a/oidc-provider/api/v0. That will not be changing. However, the issuer https://www.banno.com/a/oidc-provider/api/v0 is also supported, because the identity provider was originally built out for the Banno Admin application.

For a short period, there may be some products integrated using one issuer and some products integrated using the other. If a user needs to access products using both issuers, they would need to authenticate twice. We’ll be working to get all products aligned on using https://login.jackhenry.com/ as quickly as possible, and all new integrating products should utilize it from day one.

Can I place several JWK’s in the JWKS?

Yes. If multiple keys are used, the JWT and JWK both need to include the kid property (key ID). Otherwise the JWT is validated against the first matching JWK based off the alg.

When the current key expires will Jack Henry Identity fetch a new JWKS even though the current JWKS has the new key ID you are looking for?

No. The keys would be refreshed based on the expires or cache-control headers returned from the JWKS endpoint, or every 60s if those headers are not provided. Also note, fetching of the JWKS can (and likely will) be done more frequently.

If Jack Henry Identity can’t successfully fetch a JWKS, what happens?

Requests for the affected clientId would fail until the fetch is successful. The Jack Henry Identity support team has logging available to assist in troubleshooting this type of issue, but there’s not currently any alerting to proactively raise the alarm of a problem.

Is there an expiration time for ID tokens?

One hour.

What is the expiration for access tokens?

Access tokens currently expire after 10 minutes. After that expiration, clients that use offline_access can use a refresh token to get a new access token, OR push the user through the authorization code flow again to get a new access token.

Are there any values within the token that can be changed?

No, with the exception of the clientName, which is based upon the external application configurtion in the Banno Admin.

Is there an API that will return a list of users who are currently “live” in a specified institution? (By “live” we mean that they have authenticated and their existing authentication session has not timed out or been logged out)

No. Your Backend-for-Frontend would need to track it’s own open sessions. The client should call the BFF to retrieve a list of active sessions between client and the BFF (not between the BFF and Jack Henry Identity.)

How will integrators get access to user groups from Active Directory?

Products that have relied on the groups from Active Directory will need to instead rely on appropriate permissions.

What claims are supported? Can my product add custom claims?

The following claims are supported:

  • email
  • family_name
  • given_name
  • middle_name
  • name
  • phone_number
  • picture
  • preferred_username
  • sub (userId)
  • institution_id (Institution Universal ID)

Custom claims are not supported.

Have a Question?
Did this page help you?
Last updated Mon Nov 10 2025