authentication

The ZimpleMoney system requires authentication by users for access to all system information. As a result, most API requests require that the request be authenticated. Authentication can be accomplished using the system itself, via the /login endpoint. As well, authentication can be performed externally via Oauth2.

Either way, a token is received, which can be provided on subsequent requests. The token is an opaque text string, base-64 encoded, and is passed in the HTTP Authentication: header, like this:

Authorization: bearer <token>

The ZimpleMoney API returns a token from each request in the X-Auth-Token: header, like this:

X-Auth-Token: <token>

In general the token which is returned may be different than the response token. Reusing a valid request token will work, but could have a performance implication, as the API attempts to maintain application session state via the token contents.

---

Since authentication is performed at a user (member) level, the API only enables access to information which the user is authorized to access. For example, the /contracts endpoint returns information for "all" contracts (loans), which are only those contracts to which the user has access.

The ZimpleMoney system has the concept of a user acting "on behalf of" another user. This can occur when the user is an administrator, or because they have setup another user as their "client". The /login endpoint supports an onBehalfOf parameter which enables a user to authenticate as themselves, and then access information as if they were logged on as the onBehalfOf user.

Next: Request/response usage