Manage Access Tokens

Token-based authentication is a secure way to verify a user's identity when accessing APIs. NAF apps use access tokens, which grant access to Narmi's Public API. If you want to add custom functionality to your NAF app, this allows you to easily onboard a third-party developer by giving them access to Narmi’s API endpoints. The token can be used until it expires or is manually revoked/deleted. Each token is tied to its parent NAF app—if the NAF app is deleted, all of its tokens are also deleted. Once the NAF app is opened by a user in Digital Banking (from Tools or Services), a token is automatically created, but you can also manually create a new token. The access token is used with a client secret for access to the Public API. 

When you create a NAF app, you get a client ID and client secret. The client ID and client secret enable us to encrypt user information as third-party services interact with the Public API. The client ID is an auto-generated identifier for your NAF app. It is not treated as sensitive and is often visible in URLs or static configurations. The client secret is an auto-generated, cryptographically secure character string. It is treated as sensitive and only used for secure server-to-server communication. When a user opens a NAF app in Digital Banking, their information is encrypted using the client secret and sent with them as they are redirected to the third-party service. To generate a new secret, go to Edit or Delete a NAF App.

If you have appropriate permissions, you can select Manage Tokens next to any of the NAF apps in the list. On the page that appears, there is a list of the NAF app’s tokens with options to add or revoke tokens.

Create a New Token

To create a new token:

1. Select Manage tokens next to your NAF app and on the page that appears, select Add new token.

   

   
   

2. On the page that appears, enter the following information:

   • Note – Internal note for your staff

   • Select token expiration – Options are 1 year, 6 months, 3 months, and 1 month

   • Token scope – Decide what API access your NAF app will have. The scopes available to select here are determined by the chosen scopes when the NAF app was created. To add more scopes, edit the NAF App.

     • Read – Read access for any resources that the user can access via the Narmi Public API. Note: This must be selected in addition to "Write" for the NAF app to work.

     • Write – Write access for any resources that the user can access via the Narmi Public API. Note: This must be selected in addition to "Read" for the NAF app to work.

     • Write:preferences – Can update user preferences, like address and eStatements enrollment

     • Read:profile – Can read extended information about the user, including name, address, phone, and core user ID

     • Private_api – Can access all endpoints in the Narmi Admin API. Note: If this is selected, you cannot make your NAF app public.

     • Private_api:user – Can only read the users/{userId} endpoint in the Narmi Admin API. Note: If this is selected, you cannot make your NAF app public.
       

       

       
       Select Create token to finish.
       

3. A dialog appears showing the access token and client secret. Copy and save these values, as they will only be shown once. Sending secrets across the internet more than once, or to different users, is a security risk. Select OK to finish.
   

Revoke/Delete Tokens

You can revoke access by deleting a token. To do this, select Manage Tokens next to your NAF app, then select Revoke next to the token.

Once the token has expired, the "Revoke" button changes to "Delete" in the tokens list.