Digital Toolkit

Authentication - Client Credentials (Command Line)

Admin API > Quickstarts > Authentication - Client Credentials (Command Line)

This Quickstart guides you through making your first Client Credentials flow authentication using our command line utility, @jack-henry/banno-client-creds-helper.

This example assumes that you have a working familiarity with the cURL command line tool.

Want to learn more about Authentication? See the Authentication topic for more details.


Before you get started, you’ll need the following:

  • The back office administrator at your financial institution who has access to the Users & Groups section of Banno

If the administrator does not know where to do this, they can review the Configuration topic.

Understanding Your Development Experience
Are you a financial institution?

If you are a financial institution or working directly with a financial institution, you should work with the back office administrator at your institution to get appropriate access to the Admin API.

Are you a fintech or independent developer?

If you are a fintech or other developer working without a financial institution, you are likely using the JackHenry.Dev developer portal. In this case, you will not have access to the Banno Back Office.

Software requirements


This Quickstart uses OpenSSL commands to generate a Public Key + Private Key pair.

Node.js, npm, nvm

The @jack-henry/banno-client-creds-helper utility is built for Node.js and npm.

If you don’t have these installed on your system already, you may want to install a Node Version Manager such as nvm.

The utility requires Node.js version 14.0.0 or later.

Check your current version with node --version.

Generating a public key + private key pair

For more details, see the Public Key + Private Key topic.

Step 1. Create the private Key

Command Line
openssl genpkey -algorithm RSA -out private.pem

Step 2. Create the public key in .PEM format

Command Line
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Configuration in Users & Groups section of Banno

For more details, see the Configuration topic.

These steps will need to be performed by the back office administrator at your financial institution.

Step 1. Enter a name for the application

Enter a name of Test Application.

Step 2. Select an application type

  • Select Service account
  • Select Signed JWT

Step 3. Copy-and-paste the public key

Copy the contents of the public.pem Public Key file created in the earlier steps.

Paste the contents into the text field.

The Public Key, in .pem format, is a text file and can be viewed with a text editor.

  • You may need to configure your text editor to open .pem formatted files.

Shortcut to copy the contents of the public.pem file

You can use the command below to put the public key directly into your clipboard.

  • This shortcut command works on macOS, Linux, or Unix.
Command Line
pbcopy < public.pem

Step 4. Select the associated user

For more details, see the Associated User topic.

Select the Associated User for this application. The Associated User should have only the privileges/permissions that are specifically necessary for the application to function.

If this user does not exist, then it will have to be created by the back office administrator at your financial institution.

Step 5. Press save

Press the Save button to create the configuration of the API credentials.

This will generate the Client ID necessary for the next step.

Obtain an access token

For more details, see the Client Credentials Flow topic.

You’ll need the following from the previous steps to run the @jack-henry/banno-client-creds-helper utility:

  • Client ID
  • private.pem Private Key file
Command Line
npx @jack-henry/banno-client-creds-helper client-assertion --client-id=[CLIENT_ID] --private-key=./private.pem

The npx command automatically downloads and executes the latest version of the utility on-demand.

The terminal will output the various steps that the @jack-henry/banno-client-creds-helper performs:

  • Creating the JWT payload
  • Signing the JWT
  • Sending the Token Request

You’ll know that you have successfully authenticated based on this part of the terminal output:

Example success response
[content omitted]
Token POST response: {
  "access_token": "<lengthy-json-web-token-string>",
  "expires_in": 600,
  "token_type": "Bearer",
  "scope": "openid full"

When decoded, the Access Token will look similar to the form below:

Decoded Access Token
  "authType": "e",
  "v": "0",
  "clientName": "Test Application",
  "institutionId": "[INSTITUTION_ID]",
  "accountId": "[ACCOUNT_ID]",
  "jti": "7ZGJ4E2HBgXlVrA2jhoMo",
  "iat": 1624985060,
  "exp": 1624985660,
  "scope": "openid full",
  "iss": "",
  "aud": "[CLIENT_ID]"

The Access Token can be used to make API calls.

The Authentication Framework - Tokens article has information on the various Tokens.

Next steps

Congratulations! Continue your learning journey:

Have a Question?
Have a how-to question? Seeing a weird error? Get help on StackOverflow.
Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.
Last updated Tue Jul 18 2023